Windows Analysis Report PI#EB01122021.exe

Overview

General Information

Sample Name:	PI#EB01122021.exe
Analysis ID:	533085
MD5:	a6d5cd1e1ff086014a001bbed0d94c42
SHA1:	bcd4ca105885e8c636603002108ec7988b08e406
SHA256:	68bcb49a4f5f2491ef6606a57d1713362478e18edc2197c5daeaf1e887533999
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Detected Remcos RAT

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Sigma detected: Suspicious Script Execution From Temp Folder

Contains functionality to steal Firefox passwords or cookies

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Contains functionality to inject code into remote processes

Deletes itself after installation

Sigma detected: WScript or CScript Dropper

Installs a global keyboard hook

Injects files into Windows application

Delayed program exit found

Contains functionality to steal Chrome passwords or cookies

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Drops PE files

Contains functionality to read the PEB

Binary contains a suspicious time stamp

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Detected TCP or UDP traffic on non-standard ports

Contains functionality to download and launch executables

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to simulate mouse events

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0000000A.00000002.923611069.0000000001307000.00000004.00000020.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "79.134.225.119:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "notepad.exe", "Startup value": "notepad", "Hide file": "Disable", "Mutex": "Remcos-GWVBZH", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}

Multi AV Scanner detection for submitted file

Source: PI#EB01122021.exe

ReversingLabs: Detection: 24%

Yara detected Remcos RAT

Source: Yara match	File source: 12.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3e88ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.42e8ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3489930.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.42e8ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3938ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.4078ef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4199000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3bc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4388ef0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3e88ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3938ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.PI#EB01122021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.3ed9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4388ef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.3e39930.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.39d9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3e89000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3749000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.4078ef0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.PI#EB01122021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3c99000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.40f9000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.3ed9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.3e39930.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3489930.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.39d9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3bc9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.923611069.0000000001307000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.665707954.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.747132927.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.723857494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.710552942.00000000010F7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.668087697.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.746294295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.750190502.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.727672917.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.724829494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.667581883.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.706138674.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.666944230.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.698084508.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.674208538.0000000000FB7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.708512420.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.697551075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.746714985.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.690545853.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.747620790.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.750930266.0000000000A37000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.729381755.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.709640591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.664681826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.707894778.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.696164588.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.748212725.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.923123873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.706739548.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.691529752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.749457172.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.691017660.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.748825104.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.688839344.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.725530815.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.728757346.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.707310183.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.665184295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.729849603.0000000001027000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.726516834.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.709107178.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.673320463.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.666364820.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.724333978.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.710208184.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.753512383.0000000003BC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.701679427.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.671210492.0000000003489000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.713877257.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.736965742.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 7160, type: MEMORYSTR

Multi AV Scanner detection for domain / URL

Source: 79.134.225.119

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe

ReversingLabs: Detection: 24%

Machine Learning detection for sample

Source: PI#EB01122021.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe

Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0042F31F CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		4_2_0042F31F
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0042F31F CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		10_2_0042F31F

Source: PI#EB01122021.exe, 00000001.00000002.671210492.0000000003489000.00000004.00000001.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance:

Uses 32bit PE files

Source: PI#EB01122021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: PI#EB01122021.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00406AEE SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

4_2_00406AEE

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0040A047 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	4_2_0040A047
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00418144 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	4_2_00418144
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0040A262 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	4_2_0040A262
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00406360 FindFirstFileW,FindNextFileW,	4_2_00406360
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0040783D __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	4_2_0040783D
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00407C95 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	4_2_00407C95
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00447D49 FindFirstFileExA,	4_2_00447D49
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00415DC8 FindFirstFileW,FindNextFileW,FindNextFileW,	4_2_00415DC8
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0040A047 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	10_2_0040A047
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00418144 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	10_2_00418144
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0040A262 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	10_2_0040A262
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00406360 FindFirstFileW,FindNextFileW,	10_2_00406360
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0040783D __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_0040783D
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00407C95 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_00407C95
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00447D49 FindFirstFileExA,	10_2_00447D49
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00415DC8 FindFirstFileW,FindNextFileW,FindNextFileW,	10_2_00415DC8

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe

Network Connect: 79.134.225.119 2404

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 79.134.225.119

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 79.134.225.119 79.134.225.119

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49766 -> 79.134.225.119:2404

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00413468 Sleep,URLDownloadToFileW,

4_2_00413468

Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Remcos\notepad.exe

Jump to behavior

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_004089F0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

4_2_004089F0

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00413718 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_00413718

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00413718 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_00413718

E-Banking Fraud:

Yara detected Remcos RAT

Source: Yara match	File source: 12.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3e88ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.42e8ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3489930.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.42e8ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3938ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.4078ef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4199000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3bc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4388ef0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3e88ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3938ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.PI#EB01122021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.3ed9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4388ef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.3e39930.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.39d9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3e89000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3749000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.4078ef0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.PI#EB01122021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3c99000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.40f9000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.3ed9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.3e39930.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3489930.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.39d9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3bc9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.923611069.0000000001307000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.665707954.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.747132927.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.723857494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.710552942.00000000010F7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.668087697.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.746294295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.750190502.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.727672917.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.724829494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.667581883.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.706138674.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.666944230.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.698084508.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.674208538.0000000000FB7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.708512420.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.697551075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.746714985.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.690545853.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.747620790.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.750930266.0000000000A37000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.729381755.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.709640591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.664681826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.707894778.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.696164588.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.748212725.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.923123873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.706739548.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.691529752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.749457172.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.691017660.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.748825104.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.688839344.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.725530815.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.728757346.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.707310183.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.665184295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.729849603.0000000001027000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.726516834.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.709107178.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.673320463.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.666364820.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.724333978.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.710208184.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.753512383.0000000003BC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.701679427.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.671210492.0000000003489000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.713877257.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.736965742.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 7160, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Source: 12.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.notepad.exe.3e88ef0.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.notepad.exe.42e8ef0.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.PI#EB01122021.exe.3489930.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.notepad.exe.42e8ef0.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.PI#EB01122021.exe.3938ef0.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.notepad.exe.4078ef0.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.notepad.exe.3bc9930.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.notepad.exe.4388ef0.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.notepad.exe.3e88ef0.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.PI#EB01122021.exe.3938ef0.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.PI#EB01122021.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.notepad.exe.3ed9930.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.notepad.exe.4388ef0.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.notepad.exe.3e39930.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.notepad.exe.39d9930.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.notepad.exe.4078ef0.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.PI#EB01122021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000000.665707954.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000000.747132927.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000000.723857494.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000000.668087697.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000000.746294295.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000002.750190502.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000000.727672917.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000000.724829494.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000000.667581883.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000000.706138674.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000000.666944230.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000000.698084508.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000000.708512420.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000000.697551075.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000000.690545853.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000000.746714985.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000000.747620790.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000002.729381755.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000000.709640591.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000000.664681826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000000.707894778.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000000.696164588.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000000.748212725.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000002.923123873.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000000.706739548.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000000.691529752.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000000.749457172.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000000.691017660.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000000.748825104.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000000.688839344.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000000.725530815.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000000.728757346.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000000.707310183.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000000.665184295.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000000.726516834.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000000.709107178.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000002.673320463.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000000.666364820.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000000.724333978.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000002.710208184.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 1_2_00A3C694	1_2_00A3C694
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 1_2_00A3EAC8	1_2_00A3EAC8
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 1_2_00A3EAD8	1_2_00A3EAD8
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00423115	4_2_00423115
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00411234	4_2_00411234
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_004323C0	4_2_004323C0
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043538A	4_2_0043538A
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0042F42A	4_2_0042F42A
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043B56C	4_2_0043B56C
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0041B537	4_2_0041B537
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00434641	4_2_00434641
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0042360C	4_2_0042360C
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0044C7FB	4_2_0044C7FB
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043B79B	4_2_0043B79B
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_004357BF	4_2_004357BF
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00452880	4_2_00452880
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043191B	4_2_0043191B
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043B9CA	4_2_0043B9CA
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0044E981	4_2_0044E981
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00434B3D	4_2_00434B3D
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00423CAA	4_2_00423CAA
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00440D30	4_2_00440D30
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00423DED	4_2_00423DED
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00434F55	4_2_00434F55
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0044CF19	4_2_0044CF19
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00419F80	4_2_00419F80
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 9_2_0287C694	9_2_0287C694
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 9_2_0287EAC8	9_2_0287EAC8
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 9_2_0287EAD8	9_2_0287EAD8
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00423115	10_2_00423115
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00411234	10_2_00411234
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_004323C0	10_2_004323C0
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043538A	10_2_0043538A
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0042F42A	10_2_0042F42A
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043B56C	10_2_0043B56C
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0041B537	10_2_0041B537
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00434641	10_2_00434641
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0042360C	10_2_0042360C
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0044C7FB	10_2_0044C7FB
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043B79B	10_2_0043B79B
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_004357BF	10_2_004357BF
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00452880	10_2_00452880
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043191B	10_2_0043191B
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043B9CA	10_2_0043B9CA
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0044E981	10_2_0044E981
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00434B3D	10_2_00434B3D
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00423CAA	10_2_00423CAA
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00440D30	10_2_00440D30
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00423DED	10_2_00423DED
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00434F55	10_2_00434F55
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0044CF19	10_2_0044CF19
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00419F80	10_2_00419F80
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 11_2_02CBC694	11_2_02CBC694
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 11_2_02CBEAC8	11_2_02CBEAC8
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 11_2_02CBEAD8	11_2_02CBEAD8
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 11_2_053EEFB8	11_2_053EEFB8
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 11_2_053EEFF0	11_2_053EEFF0
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 11_2_053EEFE2	11_2_053EEFE2

Uses 32bit PE files

Source: PI#EB01122021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Yara signature match

Source: 12.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.notepad.exe.3e88ef0.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.notepad.exe.42e8ef0.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.PI#EB01122021.exe.3489930.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.notepad.exe.42e8ef0.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.PI#EB01122021.exe.3938ef0.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.notepad.exe.4078ef0.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.notepad.exe.3bc9930.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.notepad.exe.4388ef0.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.notepad.exe.3e88ef0.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.PI#EB01122021.exe.3938ef0.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.PI#EB01122021.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.notepad.exe.3ed9930.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.notepad.exe.4388ef0.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.notepad.exe.3e39930.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.notepad.exe.39d9930.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.notepad.exe.4078ef0.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.PI#EB01122021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.665707954.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000000.747132927.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000000.723857494.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.668087697.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000000.746294295.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000002.750190502.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000000.727672917.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000000.724829494.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.667581883.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000000.706138674.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.666944230.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000000.698084508.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000000.708512420.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000000.697551075.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000000.690545853.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000000.746714985.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000000.747620790.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000002.729381755.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000000.709640591.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.664681826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000000.707894778.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000000.696164588.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000000.748212725.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000002.923123873.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000000.706739548.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000000.691529752.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000000.749457172.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000000.691017660.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000000.748825104.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000000.688839344.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000000.725530815.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000000.728757346.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000000.707310183.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.665184295.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000000.726516834.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000000.709107178.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000002.673320463.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.666364820.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000000.724333978.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000002.710208184.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0041360B ExitWindowsEx,LoadLibraryA,GetProcAddress,		4_2_0041360B
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0041360B ExitWindowsEx,LoadLibraryA,GetProcAddress,		10_2_0041360B

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: String function: 004308A0 appears 53 times
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: String function: 004301F3 appears 37 times
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: String function: 00402076 appears 50 times
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: String function: 004308A0 appears 53 times
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: String function: 004301F3 appears 37 times
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: String function: 00402076 appears 50 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00414B29 CreateProcessW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,		4_2_00414B29
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00414B29 CreateProcessW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,		10_2_00414B29

Sample file is different than original file name gathered from version info

Source: PI#EB01122021.exe	Binary or memory string: OriginalFilename vs PI#EB01122021.exe
Source: PI#EB01122021.exe, 00000001.00000002.671210492.0000000003489000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs PI#EB01122021.exe
Source: PI#EB01122021.exe, 00000001.00000002.670529475.0000000002481000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs PI#EB01122021.exe
Source: PI#EB01122021.exe, 00000001.00000002.672873261.0000000005550000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs PI#EB01122021.exe
Source: PI#EB01122021.exe	Binary or memory string: OriginalFilename vs PI#EB01122021.exe
Source: PI#EB01122021.exe	Binary or memory string: OriginalFilenameAssemblyTargetedPatchBandAttribu.exe4 vs PI#EB01122021.exe

Source: PI#EB01122021.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: notepad.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: PI#EB01122021.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PI#EB01122021.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PI#EB01122021.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/6@0/1

Source: C:\Users\user\Desktop\PI#EB01122021.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00416D71 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

4_2_00416D71

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00417629 FindResourceA,LoadResource,LockResource,SizeofResource,

4_2_00417629

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"

Source: PI#EB01122021.exe

ReversingLabs: Detection: 24%

Source: C:\Users\user\Desktop\PI#EB01122021.exe

File read: C:\Users\user\Desktop\PI#EB01122021.exe

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PI#EB01122021.exe "C:\Users\user\Desktop\PI#EB01122021.exe"
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process created: C:\Users\user\Desktop\PI#EB01122021.exe C:\Users\user\Desktop\PI#EB01122021.exe
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Remcos\notepad.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe "C:\Users\user\AppData\Roaming\Remcos\notepad.exe"
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe "C:\Users\user\AppData\Roaming\Remcos\notepad.exe"
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe "C:\Users\user\AppData\Roaming\Remcos\notepad.exe"
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process created: C:\Users\user\Desktop\PI#EB01122021.exe C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00414367 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		4_2_00414367
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00414367 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		10_2_00414367

Source: C:\Users\user\Desktop\PI#EB01122021.exe

File created: C:\Users\user\AppData\Local\Temp\install.vbs

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_0040D25B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

4_2_0040D25B

Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Mutant created: \Sessions\1\BaseNamedObjects\Remcos-GWVBZH
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5252:120:WilError_01

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PI#EB01122021.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PI#EB01122021.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PI#EB01122021.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Source: PI#EB01122021.exe, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.PI#EB01122021.exe.50000.0.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.PI#EB01122021.exe.50000.0.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: notepad.exe.4.dr, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.19.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.17.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.2.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.0.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.7.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.3.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.15.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.5.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.21.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.PI#EB01122021.exe.ae0000.1.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.1.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.11.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.9.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.13.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.notepad.exe.6d0000.0.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.notepad.exe.6d0000.0.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.notepad.exe.ca0000.13.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.notepad.exe.ca0000.17.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.notepad.exe.ca0000.19.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.notepad.exe.ca0000.0.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.notepad.exe.ca0000.2.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.notepad.exe.ca0000.7.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.notepad.exe.ca0000.9.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.notepad.exe.ca0000.1.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.notepad.exe.ca0000.21.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00452248 push eax; ret	4_2_00452266
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_004594BD push esi; ret	4_2_004594C6
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_004308E6 push ecx; ret	4_2_004308F9
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00451926 push ecx; ret	4_2_00451939
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00452248 push eax; ret	10_2_00452266
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_004594BD push esi; ret	10_2_004594C6
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_004308E6 push ecx; ret	10_2_004308F9
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00451926 push ecx; ret	10_2_00451939
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00CA9C80 push esi; retf	10_2_00CA9C8A
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 11_2_053EFF04 push E802005Eh; ret	11_2_053EFF09

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_0040CD53 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

4_2_0040CD53

Binary contains a suspicious time stamp

Source: PI#EB01122021.exe

Static PE information: 0x9E2F5619 [Thu Feb 5 11:06:01 2054 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.90145393477
Source: initial sample	Static PE information: section name: .text entropy: 7.90145393477

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\PI#EB01122021.exe

File created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe

Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00405E28 ShellExecuteW,URLDownloadToFileW,

4_2_00405E28

Boot Survival:

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run notepad

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run notepad			Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run notepad			Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00416D71 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

4_2_00416D71

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Source: C:\Windows\SysWOW64\wscript.exe

File deleted: c:\users\user\desktop\pi#eb01122021.exe

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\PI#EB01122021.exe

4_2_0040CD53

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 17.2.notepad.exe.2be1c00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.2ef1c00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.29f1c00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.24a1bc8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.2e51c00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.735784569.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.752762231.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.670529475.0000000002481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.700890125.00000000029D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.711320797.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6952, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PI#EB01122021.exe, 00000001.00000002.670529475.0000000002481000.00000004.00000001.sdmp, notepad.exe, 00000009.00000002.700890125.00000000029D1000.00000004.00000001.sdmp, notepad.exe, 0000000B.00000002.711320797.0000000002E31000.00000004.00000001.sdmp, notepad.exe, 0000000E.00000002.735784569.0000000002ED1000.00000004.00000001.sdmp, notepad.exe, 00000011.00000002.752762231.0000000002BC1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: PI#EB01122021.exe, 00000001.00000002.670529475.0000000002481000.00000004.00000001.sdmp, notepad.exe, 00000009.00000002.700890125.00000000029D1000.00000004.00000001.sdmp, notepad.exe, 0000000B.00000002.711320797.0000000002E31000.00000004.00000001.sdmp, notepad.exe, 0000000E.00000002.735784569.0000000002ED1000.00000004.00000001.sdmp, notepad.exe, 00000011.00000002.752762231.0000000002BC1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Delayed program exit found

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0040D0FF Sleep,ExitProcess,		4_2_0040D0FF
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0040D0FF Sleep,ExitProcess,		10_2_0040D0FF

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\PI#EB01122021.exe TID: 6888	Thread sleep time: -40793s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe TID: 6960	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 5484	Thread sleep time: -40924s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 4780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 6112	Thread sleep count: 66 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 6112	Thread sleep time: -33000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 5360	Thread sleep time: -39753s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 5400	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 6536	Thread sleep time: -38530s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 6848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 6948	Thread sleep time: -37033s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 7048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Last function: Thread delayed

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		4_2_00416A9F
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		10_2_00416A9F

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Thread delayed: delay time: 40793	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 40924	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 39753	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 38530	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 37033	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00406AEE SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

4_2_00406AEE

Source: notepad.exe, 00000011.00000002.752762231.0000000002BC1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: notepad.exe, 00000011.00000002.752762231.0000000002BC1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: notepad.exe, 00000011.00000002.752762231.0000000002BC1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: notepad.exe, 00000011.00000002.752762231.0000000002BC1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0040A047 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	4_2_0040A047
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00418144 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	4_2_00418144
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0040A262 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	4_2_0040A262
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00406360 FindFirstFileW,FindNextFileW,	4_2_00406360
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0040783D __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	4_2_0040783D
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00407C95 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	4_2_00407C95
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00447D49 FindFirstFileExA,	4_2_00447D49
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00415DC8 FindFirstFileW,FindNextFileW,FindNextFileW,	4_2_00415DC8
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0040A047 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	10_2_0040A047
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00418144 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	10_2_00418144
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0040A262 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	10_2_0040A262
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00406360 FindFirstFileW,FindNextFileW,	10_2_00406360
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0040783D __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_0040783D
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00407C95 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_00407C95
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00447D49 FindFirstFileExA,	10_2_00447D49
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00415DC8 FindFirstFileW,FindNextFileW,FindNextFileW,	10_2_00415DC8

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PI#EB01122021.exe

4_2_0040CD53

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043DE2E mov eax, dword ptr fs:[00000030h]		4_2_0043DE2E
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043DE2E mov eax, dword ptr fs:[00000030h]		10_2_0043DE2E

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_0043047C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_0043047C

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_0044901D GetProcessHeap,

4_2_0044901D

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043047C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0043047C
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043753F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0043753F
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043060E SetUnhandledExceptionFilter,	4_2_0043060E
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00430A6C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00430A6C
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043047C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0043047C
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043753F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0043753F
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043060E SetUnhandledExceptionFilter,	10_2_0043060E
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00430A6C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00430A6C

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe

Network Connect: 79.134.225.119 2404

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00414B29 CreateProcessW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,

4_2_00414B29

Injects files into Windows application

Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Injected file: C:\Users\user\AppData\Roaming\Remcos\notepad.exe was created by C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Injected file: C:\Users\user\AppData\Roaming\Remcos\notepad.exe was created by C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Injected file: C:\Users\user\AppData\Roaming\Remcos\notepad.exe was created by C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Injected file: C:\Users\user\AppData\Roaming\Remcos\notepad.exe was created by C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Injected file: C:\Users\user\AppData\Roaming\Remcos\notepad.exe was created by C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Injected file: C:\Users\user\AppData\Roaming\Remcos\notepad.exe was created by C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Injected file: C:\Users\user\AppData\Roaming\Remcos\notepad.exe was created by C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Injected file: C:\Users\user\AppData\Roaming\Remcos\notepad.exe was created by C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe		4_2_0040FB05
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe		10_2_0040FB05

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process created: C:\Users\user\Desktop\PI#EB01122021.exe C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00415968 StrToIntA,mouse_event,

4_2_00415968

Source: notepad.exe, 0000000A.00000002.923716071.0000000001990000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: notepad.exe, 0000000A.00000002.923716071.0000000001990000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: notepad.exe, 0000000A.00000002.923716071.0000000001990000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: notepad.exe, 0000000A.00000002.923716071.0000000001990000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: logs.dat.10.dr	Binary or memory string: [Program Manager]

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: EnumSystemLocalesW,	4_2_00443157
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_0044B1A8
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: GetLocaleInfoA,	4_2_0040D22F
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: EnumSystemLocalesW,	4_2_0044B46B
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: EnumSystemLocalesW,	4_2_0044B420
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: EnumSystemLocalesW,	4_2_0044B506
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_0044B593
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: GetLocaleInfoW,	4_2_00443640
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: GetLocaleInfoW,	4_2_0044B7E3
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_0044B90C
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: GetLocaleInfoW,	4_2_0044BA13
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_0044BAE0
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: EnumSystemLocalesW,	10_2_00443157
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	10_2_0044B1A8
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: GetLocaleInfoA,	10_2_0040D22F
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: EnumSystemLocalesW,	10_2_0044B46B
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: EnumSystemLocalesW,	10_2_0044B420
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: EnumSystemLocalesW,	10_2_0044B506
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_2_0044B593
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: GetLocaleInfoW,	10_2_00443640
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: GetLocaleInfoW,	10_2_0044B7E3
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_0044B90C
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: GetLocaleInfoW,	10_2_0044BA13
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_0044BAE0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Queries volume information: C:\Users\user\Desktop\PI#EB01122021.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Users\user\AppData\Roaming\Remcos\notepad.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Users\user\AppData\Roaming\Remcos\notepad.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Users\user\AppData\Roaming\Remcos\notepad.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Users\user\AppData\Roaming\Remcos\notepad.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_004306EC cpuid

4_2_004306EC

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00405038 GetLocalTime,CreateEventA,CreateThread,

4_2_00405038

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_004440B8 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

4_2_004440B8

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_0041778E GetComputerNameExW,GetUserNameW,

4_2_0041778E

Stealing of Sensitive Information:

Yara detected Remcos RAT

Source: Yara match	File source: 12.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3e88ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.42e8ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3489930.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.42e8ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3938ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.4078ef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4199000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3bc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4388ef0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3e88ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3938ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.PI#EB01122021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.3ed9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4388ef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.3e39930.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.39d9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3e89000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3749000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.4078ef0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.PI#EB01122021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3c99000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.40f9000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.3ed9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.3e39930.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3489930.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.39d9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3bc9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.923611069.0000000001307000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.665707954.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.747132927.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.723857494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.710552942.00000000010F7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.668087697.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.746294295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.750190502.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.727672917.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.724829494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.667581883.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.706138674.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.666944230.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.698084508.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.674208538.0000000000FB7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.708512420.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.697551075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.746714985.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.690545853.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.747620790.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.750930266.0000000000A37000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.729381755.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.709640591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.664681826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.707894778.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.696164588.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.748212725.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.923123873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.706739548.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.691529752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.749457172.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.691017660.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.748825104.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.688839344.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.725530815.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.728757346.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.707310183.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.665184295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.729849603.0000000001027000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.726516834.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.709107178.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.673320463.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.666364820.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.724333978.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.710208184.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.753512383.0000000003BC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.701679427.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.671210492.0000000003489000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.713877257.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.736965742.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 7160, type: MEMORYSTR

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	4_2_0040A047
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: \key3.db	4_2_0040A047
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	10_2_0040A047
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: \key3.db	10_2_0040A047

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		4_2_00409F29
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		10_2_00409F29

Remote Access Functionality:

Yara detected Remcos RAT

Source: Yara match	File source: 12.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3e88ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.42e8ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3489930.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.42e8ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3938ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.4078ef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4199000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3bc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4388ef0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3e88ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3938ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.PI#EB01122021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.3ed9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4388ef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.3e39930.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.39d9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3e89000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3749000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.4078ef0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.PI#EB01122021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3c99000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.40f9000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.3ed9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.3e39930.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3489930.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.39d9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3bc9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.923611069.0000000001307000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.665707954.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.747132927.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.723857494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.710552942.00000000010F7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.668087697.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.746294295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.750190502.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.727672917.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.724829494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.667581883.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.706138674.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.666944230.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.698084508.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.674208538.0000000000FB7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.708512420.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.697551075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.746714985.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.690545853.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.747620790.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.750930266.0000000000A37000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.729381755.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.709640591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.664681826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.707894778.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.696164588.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.748212725.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.923123873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.706739548.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.691529752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.749457172.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.691017660.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.748825104.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.688839344.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.725530815.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.728757346.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.707310183.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.665184295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.729849603.0000000001027000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.726516834.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.709107178.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.673320463.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.666364820.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.724333978.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.710208184.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.753512383.0000000003BC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.701679427.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.671210492.0000000003489000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.713877257.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.736965742.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 7160, type: MEMORYSTR

Detected Remcos RAT

Source: PI#EB01122021.exe, 00000001.00000002.671210492.0000000003489000.00000004.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: PI#EB01122021.exe, 00000001.00000002.671210492.0000000003489000.00000004.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: PI#EB01122021.exe	String found in binary or memory: Remcos_Mutex_Inj
Source: PI#EB01122021.exe, 00000004.00000000.665707954.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: PI#EB01122021.exe, 00000004.00000000.665707954.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: PI#EB01122021.exe, 00000004.00000000.664681826.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: PI#EB01122021.exe, 00000004.00000000.664681826.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: PI#EB01122021.exe, 00000004.00000002.673320463.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: PI#EB01122021.exe, 00000004.00000002.673320463.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 00000009.00000002.701679427.00000000039D9000.00000004.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 00000009.00000002.701679427.00000000039D9000.00000004.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000A.00000000.698084508.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000A.00000000.698084508.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 0000000A.00000002.923123873.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000A.00000002.923123873.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 0000000A.00000000.688839344.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000A.00000000.688839344.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 0000000B.00000002.713877257.0000000003E39000.00000004.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000B.00000002.713877257.0000000003E39000.00000004.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 0000000C.00000000.706138674.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000C.00000000.706138674.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 0000000C.00000000.708512420.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000C.00000000.708512420.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 0000000C.00000002.710208184.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000C.00000002.710208184.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 0000000E.00000002.736965742.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000E.00000002.736965742.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 00000010.00000000.723857494.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 00000010.00000000.723857494.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 00000010.00000000.727672917.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 00000010.00000000.727672917.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 00000010.00000002.729381755.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 00000010.00000002.729381755.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 00000011.00000002.753512383.0000000003BC9000.00000004.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 00000011.00000002.753512383.0000000003BC9000.00000004.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 00000012.00000000.747132927.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 00000012.00000000.747132927.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 00000012.00000002.750190502.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 00000012.00000002.750190502.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 00000012.00000000.746294295.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 00000012.00000000.746294295.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: cmd.exe		4_2_004057A3
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: cmd.exe		10_2_004057A3

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.119	unknown	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
79.134.225.119	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 0000000A.00000002.923611069.0000000001307000.00000004.00000020.sdmp

Multi AV Scanner detection for submitted file

Source: PI#EB01122021.exe

ReversingLabs: Detection: 24%

Yara detected Remcos RAT

Source: Yara match	File source: 12.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3e88ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.42e8ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3489930.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.42e8ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3938ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.4078ef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4199000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3bc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4388ef0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3e88ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3938ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.PI#EB01122021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.3ed9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4388ef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.3e39930.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.39d9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3e89000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3749000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.4078ef0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.PI#EB01122021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3c99000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.40f9000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.3ed9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.3e39930.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3489930.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.39d9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3bc9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.923611069.0000000001307000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.665707954.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.747132927.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.723857494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.710552942.00000000010F7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.668087697.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.746294295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.750190502.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.727672917.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.724829494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.667581883.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.706138674.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.666944230.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.698084508.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.674208538.0000000000FB7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.708512420.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.697551075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.746714985.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.690545853.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.747620790.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.750930266.0000000000A37000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.729381755.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.709640591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.664681826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.707894778.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.696164588.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.748212725.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.923123873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.706739548.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.691529752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.749457172.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.691017660.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.748825104.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.688839344.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.725530815.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.728757346.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.707310183.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.665184295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.729849603.0000000001027000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.726516834.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.709107178.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.673320463.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.666364820.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.724333978.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.710208184.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.753512383.0000000003BC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.701679427.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.671210492.0000000003489000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.713877257.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.736965742.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 7160, type: MEMORYSTR

Multi AV Scanner detection for domain / URL

Source: 79.134.225.119

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe

ReversingLabs: Detection: 24%

Machine Learning detection for sample

Source: PI#EB01122021.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe

Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0042F31F CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		4_2_0042F31F
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0042F31F CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		10_2_0042F31F

Source: PI#EB01122021.exe, 00000001.00000002.671210492.0000000003489000.00000004.00000001.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance:

Uses 32bit PE files

Source: PI#EB01122021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: PI#EB01122021.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00406AEE SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

4_2_00406AEE

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0040A047 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	4_2_0040A047
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00418144 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	4_2_00418144
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0040A262 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	4_2_0040A262
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00406360 FindFirstFileW,FindNextFileW,	4_2_00406360
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0040783D __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	4_2_0040783D
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00407C95 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	4_2_00407C95
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00447D49 FindFirstFileExA,	4_2_00447D49
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00415DC8 FindFirstFileW,FindNextFileW,FindNextFileW,	4_2_00415DC8
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0040A047 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	10_2_0040A047
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00418144 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	10_2_00418144
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0040A262 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	10_2_0040A262
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00406360 FindFirstFileW,FindNextFileW,	10_2_00406360
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0040783D __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_0040783D
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00407C95 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_00407C95
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00447D49 FindFirstFileExA,	10_2_00447D49
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00415DC8 FindFirstFileW,FindNextFileW,FindNextFileW,	10_2_00415DC8

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe

Network Connect: 79.134.225.119 2404

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 79.134.225.119

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 79.134.225.119 79.134.225.119

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49766 -> 79.134.225.119:2404

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00413468 Sleep,URLDownloadToFileW,

4_2_00413468

Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.119

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Remcos\notepad.exe

Jump to behavior

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_004089F0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

4_2_004089F0

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00413718 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_00413718

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00413718 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_00413718

E-Banking Fraud:

Yara detected Remcos RAT

Source: Yara match	File source: 12.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3e88ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.42e8ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3489930.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.42e8ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3938ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.4078ef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4199000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3bc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4388ef0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3e88ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3938ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.PI#EB01122021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.3ed9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4388ef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.3e39930.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.39d9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3e89000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3749000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.4078ef0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.PI#EB01122021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3c99000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.40f9000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.3ed9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.3e39930.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3489930.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.39d9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3bc9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.923611069.0000000001307000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.665707954.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.747132927.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.723857494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.710552942.00000000010F7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.668087697.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.746294295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.750190502.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.727672917.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.724829494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.667581883.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.706138674.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.666944230.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.698084508.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.674208538.0000000000FB7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.708512420.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.697551075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.746714985.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.690545853.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.747620790.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.750930266.0000000000A37000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.729381755.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.709640591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.664681826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.707894778.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.696164588.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.748212725.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.923123873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.706739548.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.691529752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.749457172.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.691017660.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.748825104.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.688839344.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.725530815.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.728757346.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.707310183.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.665184295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.729849603.0000000001027000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.726516834.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.709107178.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.673320463.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.666364820.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.724333978.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.710208184.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.753512383.0000000003BC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.701679427.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.671210492.0000000003489000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.713877257.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.736965742.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 7160, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Source: 12.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.notepad.exe.3e88ef0.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.notepad.exe.42e8ef0.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.PI#EB01122021.exe.3489930.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.notepad.exe.42e8ef0.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.PI#EB01122021.exe.3938ef0.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.notepad.exe.4078ef0.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.notepad.exe.3bc9930.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.notepad.exe.4388ef0.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.notepad.exe.3e88ef0.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.PI#EB01122021.exe.3938ef0.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.PI#EB01122021.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.notepad.exe.3ed9930.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.notepad.exe.4388ef0.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.notepad.exe.3e39930.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.notepad.exe.39d9930.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.notepad.exe.4078ef0.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.PI#EB01122021.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.PI#EB01122021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000000.665707954.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000000.747132927.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000000.723857494.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000000.668087697.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000000.746294295.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000002.750190502.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000000.727672917.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000000.724829494.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000000.667581883.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000000.706138674.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000000.666944230.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000000.698084508.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000000.708512420.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000000.697551075.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000000.690545853.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000000.746714985.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000000.747620790.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000002.729381755.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000000.709640591.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000000.664681826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000000.707894778.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000000.696164588.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000000.748212725.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000002.923123873.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000000.706739548.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000000.691529752.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000000.749457172.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000000.691017660.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000000.748825104.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000000.688839344.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000000.725530815.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000000.728757346.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000000.707310183.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000000.665184295.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000000.726516834.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000000.709107178.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000002.673320463.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000000.666364820.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000000.724333978.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000002.710208184.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 1_2_00A3C694	1_2_00A3C694
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 1_2_00A3EAC8	1_2_00A3EAC8
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 1_2_00A3EAD8	1_2_00A3EAD8
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00423115	4_2_00423115
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00411234	4_2_00411234
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_004323C0	4_2_004323C0
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043538A	4_2_0043538A
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0042F42A	4_2_0042F42A
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043B56C	4_2_0043B56C
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0041B537	4_2_0041B537
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00434641	4_2_00434641
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0042360C	4_2_0042360C
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0044C7FB	4_2_0044C7FB
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043B79B	4_2_0043B79B
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_004357BF	4_2_004357BF
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00452880	4_2_00452880
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043191B	4_2_0043191B
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043B9CA	4_2_0043B9CA
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0044E981	4_2_0044E981
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00434B3D	4_2_00434B3D
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00423CAA	4_2_00423CAA
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00440D30	4_2_00440D30
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00423DED	4_2_00423DED
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00434F55	4_2_00434F55
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0044CF19	4_2_0044CF19
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00419F80	4_2_00419F80
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 9_2_0287C694	9_2_0287C694
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 9_2_0287EAC8	9_2_0287EAC8
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 9_2_0287EAD8	9_2_0287EAD8
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00423115	10_2_00423115
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00411234	10_2_00411234
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_004323C0	10_2_004323C0
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043538A	10_2_0043538A
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0042F42A	10_2_0042F42A
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043B56C	10_2_0043B56C
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0041B537	10_2_0041B537
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00434641	10_2_00434641
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0042360C	10_2_0042360C
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0044C7FB	10_2_0044C7FB
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043B79B	10_2_0043B79B
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_004357BF	10_2_004357BF
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00452880	10_2_00452880
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043191B	10_2_0043191B
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043B9CA	10_2_0043B9CA
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0044E981	10_2_0044E981
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00434B3D	10_2_00434B3D
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00423CAA	10_2_00423CAA
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00440D30	10_2_00440D30
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00423DED	10_2_00423DED
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00434F55	10_2_00434F55
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0044CF19	10_2_0044CF19
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00419F80	10_2_00419F80
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 11_2_02CBC694	11_2_02CBC694
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 11_2_02CBEAC8	11_2_02CBEAC8
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 11_2_02CBEAD8	11_2_02CBEAD8
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 11_2_053EEFB8	11_2_053EEFB8
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 11_2_053EEFF0	11_2_053EEFF0
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 11_2_053EEFE2	11_2_053EEFE2

Uses 32bit PE files

Source: PI#EB01122021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Yara signature match

Source: 12.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.notepad.exe.3e88ef0.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.notepad.exe.42e8ef0.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.PI#EB01122021.exe.3489930.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.notepad.exe.42e8ef0.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.PI#EB01122021.exe.3938ef0.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.notepad.exe.4078ef0.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.notepad.exe.3bc9930.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.notepad.exe.4388ef0.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.notepad.exe.3e88ef0.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.PI#EB01122021.exe.3938ef0.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.PI#EB01122021.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.notepad.exe.3ed9930.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.14.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.notepad.exe.4388ef0.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.notepad.exe.3e39930.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.notepad.exe.39d9930.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.notepad.exe.4078ef0.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.PI#EB01122021.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.PI#EB01122021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.665707954.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000000.747132927.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000000.723857494.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.668087697.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000000.746294295.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000002.750190502.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000000.727672917.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000000.724829494.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.667581883.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000000.706138674.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.666944230.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000000.698084508.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000000.708512420.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000000.697551075.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000000.690545853.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000000.746714985.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000000.747620790.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000002.729381755.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000000.709640591.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.664681826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000000.707894778.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000000.696164588.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000000.748212725.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000002.923123873.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000000.706739548.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000000.691529752.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000000.749457172.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000000.691017660.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000000.748825104.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000000.688839344.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000000.725530815.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000000.728757346.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000000.707310183.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.665184295.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000000.726516834.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000000.709107178.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000002.673320463.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.666364820.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000000.724333978.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000002.710208184.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0041360B ExitWindowsEx,LoadLibraryA,GetProcAddress,		4_2_0041360B
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0041360B ExitWindowsEx,LoadLibraryA,GetProcAddress,		10_2_0041360B

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: String function: 004308A0 appears 53 times
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: String function: 004301F3 appears 37 times
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: String function: 00402076 appears 50 times
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: String function: 004308A0 appears 53 times
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: String function: 004301F3 appears 37 times
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: String function: 00402076 appears 50 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00414B29 CreateProcessW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,		4_2_00414B29
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00414B29 CreateProcessW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,		10_2_00414B29

Sample file is different than original file name gathered from version info

Source: PI#EB01122021.exe	Binary or memory string: OriginalFilename vs PI#EB01122021.exe
Source: PI#EB01122021.exe, 00000001.00000002.671210492.0000000003489000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs PI#EB01122021.exe
Source: PI#EB01122021.exe, 00000001.00000002.670529475.0000000002481000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs PI#EB01122021.exe
Source: PI#EB01122021.exe, 00000001.00000002.672873261.0000000005550000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs PI#EB01122021.exe
Source: PI#EB01122021.exe	Binary or memory string: OriginalFilename vs PI#EB01122021.exe
Source: PI#EB01122021.exe	Binary or memory string: OriginalFilenameAssemblyTargetedPatchBandAttribu.exe4 vs PI#EB01122021.exe

Source: PI#EB01122021.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: notepad.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: PI#EB01122021.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PI#EB01122021.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PI#EB01122021.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/6@0/1

Source: C:\Users\user\Desktop\PI#EB01122021.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00416D71 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

4_2_00416D71

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00417629 FindResourceA,LoadResource,LockResource,SizeofResource,

4_2_00417629

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"

Source: PI#EB01122021.exe

ReversingLabs: Detection: 24%

Source: C:\Users\user\Desktop\PI#EB01122021.exe

File read: C:\Users\user\Desktop\PI#EB01122021.exe

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PI#EB01122021.exe "C:\Users\user\Desktop\PI#EB01122021.exe"
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process created: C:\Users\user\Desktop\PI#EB01122021.exe C:\Users\user\Desktop\PI#EB01122021.exe
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Remcos\notepad.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe "C:\Users\user\AppData\Roaming\Remcos\notepad.exe"
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe "C:\Users\user\AppData\Roaming\Remcos\notepad.exe"
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe "C:\Users\user\AppData\Roaming\Remcos\notepad.exe"
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process created: C:\Users\user\Desktop\PI#EB01122021.exe C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00414367 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		4_2_00414367
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00414367 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		10_2_00414367

Source: C:\Users\user\Desktop\PI#EB01122021.exe

File created: C:\Users\user\AppData\Local\Temp\install.vbs

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_0040D25B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

4_2_0040D25B

Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Mutant created: \Sessions\1\BaseNamedObjects\Remcos-GWVBZH
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5252:120:WilError_01

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PI#EB01122021.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PI#EB01122021.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PI#EB01122021.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Source: PI#EB01122021.exe, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.PI#EB01122021.exe.50000.0.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.PI#EB01122021.exe.50000.0.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: notepad.exe.4.dr, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.19.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.17.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.2.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.0.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.7.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.3.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.15.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.5.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.21.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.PI#EB01122021.exe.ae0000.1.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.1.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.11.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.9.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PI#EB01122021.exe.ae0000.13.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.notepad.exe.6d0000.0.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.notepad.exe.6d0000.0.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.notepad.exe.ca0000.13.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.notepad.exe.ca0000.17.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.notepad.exe.ca0000.19.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.notepad.exe.ca0000.0.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.notepad.exe.ca0000.2.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.notepad.exe.ca0000.7.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.notepad.exe.ca0000.9.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.notepad.exe.ca0000.1.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.notepad.exe.ca0000.21.unpack, wG/wr.cs	.Net Code: fQX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00452248 push eax; ret	4_2_00452266
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_004594BD push esi; ret	4_2_004594C6
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_004308E6 push ecx; ret	4_2_004308F9
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00451926 push ecx; ret	4_2_00451939
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00452248 push eax; ret	10_2_00452266
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_004594BD push esi; ret	10_2_004594C6
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_004308E6 push ecx; ret	10_2_004308F9
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00451926 push ecx; ret	10_2_00451939
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00CA9C80 push esi; retf	10_2_00CA9C8A
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 11_2_053EFF04 push E802005Eh; ret	11_2_053EFF09

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PI#EB01122021.exe

4_2_0040CD53

Binary contains a suspicious time stamp

Source: PI#EB01122021.exe

Static PE information: 0x9E2F5619 [Thu Feb 5 11:06:01 2054 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.90145393477
Source: initial sample	Static PE information: section name: .text entropy: 7.90145393477

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\PI#EB01122021.exe

File created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe

Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00405E28 ShellExecuteW,URLDownloadToFileW,

4_2_00405E28

Boot Survival:

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run notepad

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run notepad			Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run notepad			Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00416D71 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

4_2_00416D71

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Source: C:\Windows\SysWOW64\wscript.exe

File deleted: c:\users\user\desktop\pi#eb01122021.exe

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\PI#EB01122021.exe

4_2_0040CD53

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 17.2.notepad.exe.2be1c00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.2ef1c00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.29f1c00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.24a1bc8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.2e51c00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.735784569.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.752762231.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.670529475.0000000002481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.700890125.00000000029D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.711320797.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6952, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PI#EB01122021.exe, 00000001.00000002.670529475.0000000002481000.00000004.00000001.sdmp, notepad.exe, 00000009.00000002.700890125.00000000029D1000.00000004.00000001.sdmp, notepad.exe, 0000000B.00000002.711320797.0000000002E31000.00000004.00000001.sdmp, notepad.exe, 0000000E.00000002.735784569.0000000002ED1000.00000004.00000001.sdmp, notepad.exe, 00000011.00000002.752762231.0000000002BC1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: PI#EB01122021.exe, 00000001.00000002.670529475.0000000002481000.00000004.00000001.sdmp, notepad.exe, 00000009.00000002.700890125.00000000029D1000.00000004.00000001.sdmp, notepad.exe, 0000000B.00000002.711320797.0000000002E31000.00000004.00000001.sdmp, notepad.exe, 0000000E.00000002.735784569.0000000002ED1000.00000004.00000001.sdmp, notepad.exe, 00000011.00000002.752762231.0000000002BC1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Delayed program exit found

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0040D0FF Sleep,ExitProcess,		4_2_0040D0FF
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0040D0FF Sleep,ExitProcess,		10_2_0040D0FF

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\PI#EB01122021.exe TID: 6888	Thread sleep time: -40793s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe TID: 6960	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 5484	Thread sleep time: -40924s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 4780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 6112	Thread sleep count: 66 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 6112	Thread sleep time: -33000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 5360	Thread sleep time: -39753s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 5400	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 6536	Thread sleep time: -38530s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 6848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 6948	Thread sleep time: -37033s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe TID: 7048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Last function: Thread delayed

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		4_2_00416A9F
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		10_2_00416A9F

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Thread delayed: delay time: 40793	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 40924	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 39753	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 38530	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 37033	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00406AEE SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

4_2_00406AEE

Source: notepad.exe, 00000011.00000002.752762231.0000000002BC1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: notepad.exe, 00000011.00000002.752762231.0000000002BC1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: notepad.exe, 00000011.00000002.752762231.0000000002BC1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: notepad.exe, 00000011.00000002.752762231.0000000002BC1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0040A047 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	4_2_0040A047
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00418144 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	4_2_00418144
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0040A262 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	4_2_0040A262
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00406360 FindFirstFileW,FindNextFileW,	4_2_00406360
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0040783D __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	4_2_0040783D
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00407C95 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	4_2_00407C95
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00447D49 FindFirstFileExA,	4_2_00447D49
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00415DC8 FindFirstFileW,FindNextFileW,FindNextFileW,	4_2_00415DC8
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0040A047 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	10_2_0040A047
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00418144 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	10_2_00418144
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0040A262 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	10_2_0040A262
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00406360 FindFirstFileW,FindNextFileW,	10_2_00406360
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0040783D __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_0040783D
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00407C95 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_00407C95
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00447D49 FindFirstFileExA,	10_2_00447D49
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00415DC8 FindFirstFileW,FindNextFileW,FindNextFileW,	10_2_00415DC8

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PI#EB01122021.exe

4_2_0040CD53

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043DE2E mov eax, dword ptr fs:[00000030h]		4_2_0043DE2E
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043DE2E mov eax, dword ptr fs:[00000030h]		10_2_0043DE2E

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_0043047C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_0043047C

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_0044901D GetProcessHeap,

4_2_0044901D

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043047C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0043047C
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043753F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0043753F
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_0043060E SetUnhandledExceptionFilter,	4_2_0043060E
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: 4_2_00430A6C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00430A6C
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043047C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0043047C
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043753F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0043753F
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_0043060E SetUnhandledExceptionFilter,	10_2_0043060E
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: 10_2_00430A6C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00430A6C

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe

Network Connect: 79.134.225.119 2404

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\PI#EB01122021.exe

4_2_00414B29

Injects files into Windows application

Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Injected file: C:\Users\user\AppData\Roaming\Remcos\notepad.exe was created by C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Injected file: C:\Users\user\AppData\Roaming\Remcos\notepad.exe was created by C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Injected file: C:\Users\user\AppData\Roaming\Remcos\notepad.exe was created by C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Injected file: C:\Users\user\AppData\Roaming\Remcos\notepad.exe was created by C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Injected file: C:\Users\user\AppData\Roaming\Remcos\notepad.exe was created by C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Injected file: C:\Users\user\AppData\Roaming\Remcos\notepad.exe was created by C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Injected file: C:\Users\user\AppData\Roaming\Remcos\notepad.exe was created by C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Injected file: C:\Users\user\AppData\Roaming\Remcos\notepad.exe was created by C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe		4_2_0040FB05
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe		10_2_0040FB05

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process created: C:\Users\user\Desktop\PI#EB01122021.exe C:\Users\user\Desktop\PI#EB01122021.exe	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Process created: C:\Users\user\AppData\Roaming\Remcos\notepad.exe C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Jump to behavior

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00415968 StrToIntA,mouse_event,

4_2_00415968

Source: notepad.exe, 0000000A.00000002.923716071.0000000001990000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: notepad.exe, 0000000A.00000002.923716071.0000000001990000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: notepad.exe, 0000000A.00000002.923716071.0000000001990000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: notepad.exe, 0000000A.00000002.923716071.0000000001990000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: logs.dat.10.dr	Binary or memory string: [Program Manager]

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: EnumSystemLocalesW,	4_2_00443157
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_0044B1A8
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: GetLocaleInfoA,	4_2_0040D22F
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: EnumSystemLocalesW,	4_2_0044B46B
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: EnumSystemLocalesW,	4_2_0044B420
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: EnumSystemLocalesW,	4_2_0044B506
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_0044B593
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: GetLocaleInfoW,	4_2_00443640
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: GetLocaleInfoW,	4_2_0044B7E3
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_0044B90C
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: GetLocaleInfoW,	4_2_0044BA13
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_0044BAE0
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: EnumSystemLocalesW,	10_2_00443157
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	10_2_0044B1A8
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: GetLocaleInfoA,	10_2_0040D22F
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: EnumSystemLocalesW,	10_2_0044B46B
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: EnumSystemLocalesW,	10_2_0044B420
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: EnumSystemLocalesW,	10_2_0044B506
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_2_0044B593
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: GetLocaleInfoW,	10_2_00443640
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: GetLocaleInfoW,	10_2_0044B7E3
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_0044B90C
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: GetLocaleInfoW,	10_2_0044BA13
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_0044BAE0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Queries volume information: C:\Users\user\Desktop\PI#EB01122021.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Users\user\AppData\Roaming\Remcos\notepad.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Users\user\AppData\Roaming\Remcos\notepad.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Users\user\AppData\Roaming\Remcos\notepad.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Users\user\AppData\Roaming\Remcos\notepad.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_004306EC cpuid

4_2_004306EC

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_00405038 GetLocalTime,CreateEventA,CreateThread,

4_2_00405038

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_004440B8 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

4_2_004440B8

Source: C:\Users\user\Desktop\PI#EB01122021.exe

Code function: 4_2_0041778E GetComputerNameExW,GetUserNameW,

4_2_0041778E

Stealing of Sensitive Information:

Yara detected Remcos RAT

Source: Yara match	File source: 12.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3e88ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.42e8ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3489930.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.42e8ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3938ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.4078ef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4199000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3bc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4388ef0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3e88ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3938ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.PI#EB01122021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.3ed9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4388ef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.3e39930.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.39d9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3e89000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3749000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.4078ef0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.PI#EB01122021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3c99000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.40f9000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.3ed9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.3e39930.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3489930.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.39d9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3bc9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.923611069.0000000001307000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.665707954.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.747132927.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.723857494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.710552942.00000000010F7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.668087697.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.746294295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.750190502.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.727672917.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.724829494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.667581883.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.706138674.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.666944230.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.698084508.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.674208538.0000000000FB7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.708512420.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.697551075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.746714985.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.690545853.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.747620790.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.750930266.0000000000A37000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.729381755.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.709640591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.664681826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.707894778.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.696164588.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.748212725.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.923123873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.706739548.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.691529752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.749457172.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.691017660.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.748825104.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.688839344.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.725530815.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.728757346.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.707310183.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.665184295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.729849603.0000000001027000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.726516834.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.709107178.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.673320463.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.666364820.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.724333978.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.710208184.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.753512383.0000000003BC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.701679427.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.671210492.0000000003489000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.713877257.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.736965742.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 7160, type: MEMORYSTR

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	4_2_0040A047
Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: \key3.db	4_2_0040A047
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	10_2_0040A047
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: \key3.db	10_2_0040A047

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		4_2_00409F29
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		10_2_00409F29

Remote Access Functionality:

Yara detected Remcos RAT

Source: Yara match	File source: 12.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3e88ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.42e8ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3489930.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.42e8ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3938ef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.4078ef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4199000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3bc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4388ef0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3e88ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3938ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.PI#EB01122021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.3ed9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.4388ef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.3e39930.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.39d9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.notepad.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.notepad.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.notepad.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.notepad.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.notepad.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3e89000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3749000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.4078ef0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PI#EB01122021.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.PI#EB01122021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.3c99000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.40f9000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.notepad.exe.3ed9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.notepad.exe.3e39930.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PI#EB01122021.exe.3489930.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.notepad.exe.39d9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.notepad.exe.3bc9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.923611069.0000000001307000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.665707954.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.747132927.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.723857494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.710552942.00000000010F7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.668087697.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.746294295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.750190502.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.727672917.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.724829494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.667581883.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.706138674.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.666944230.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.698084508.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.674208538.0000000000FB7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.708512420.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.697551075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.746714985.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.690545853.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.747620790.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.750930266.0000000000A37000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.729381755.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.709640591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.664681826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.707894778.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.696164588.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.748212725.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.923123873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.706739548.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.691529752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.749457172.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.691017660.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.748825104.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.688839344.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.725530815.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.728757346.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.707310183.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.665184295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.729849603.0000000001027000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.726516834.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.709107178.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.673320463.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.666364820.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.724333978.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.710208184.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.753512383.0000000003BC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.701679427.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.671210492.0000000003489000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.713877257.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.736965742.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PI#EB01122021.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 5156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 7160, type: MEMORYSTR

Detected Remcos RAT

Source: PI#EB01122021.exe, 00000001.00000002.671210492.0000000003489000.00000004.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: PI#EB01122021.exe, 00000001.00000002.671210492.0000000003489000.00000004.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: PI#EB01122021.exe	String found in binary or memory: Remcos_Mutex_Inj
Source: PI#EB01122021.exe, 00000004.00000000.665707954.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: PI#EB01122021.exe, 00000004.00000000.665707954.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: PI#EB01122021.exe, 00000004.00000000.664681826.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: PI#EB01122021.exe, 00000004.00000000.664681826.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: PI#EB01122021.exe, 00000004.00000002.673320463.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: PI#EB01122021.exe, 00000004.00000002.673320463.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 00000009.00000002.701679427.00000000039D9000.00000004.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 00000009.00000002.701679427.00000000039D9000.00000004.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000A.00000000.698084508.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000A.00000000.698084508.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 0000000A.00000002.923123873.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000A.00000002.923123873.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 0000000A.00000000.688839344.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000A.00000000.688839344.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 0000000B.00000002.713877257.0000000003E39000.00000004.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000B.00000002.713877257.0000000003E39000.00000004.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 0000000C.00000000.706138674.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000C.00000000.706138674.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 0000000C.00000000.708512420.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000C.00000000.708512420.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 0000000C.00000002.710208184.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000C.00000002.710208184.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 0000000E.00000002.736965742.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 0000000E.00000002.736965742.0000000003ED9000.00000004.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 00000010.00000000.723857494.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 00000010.00000000.723857494.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 00000010.00000000.727672917.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 00000010.00000000.727672917.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 00000010.00000002.729381755.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 00000010.00000002.729381755.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 00000011.00000002.753512383.0000000003BC9000.00000004.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 00000011.00000002.753512383.0000000003BC9000.00000004.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 00000012.00000000.747132927.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 00000012.00000000.747132927.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 00000012.00000002.750190502.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 00000012.00000002.750190502.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|
Source: notepad.exe, 00000012.00000000.746294295.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: notepad.exe, 00000012.00000000.746294295.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov\|

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\Desktop\PI#EB01122021.exe	Code function: cmd.exe		4_2_004057A3
Source: C:\Users\user\AppData\Roaming\Remcos\notepad.exe	Code function: cmd.exe		10_2_004057A3

ID:	533085
Product:	CloudBasic
Start time:	01:30:19
Start date:	03.12.2021
Sample:	PI#EB01122021.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a6d5cd1e1ff086014a001bbed0d94c42
SHA1:	bcd4ca105885e8c636603002108ec7988b08e406
SHA256:	68bcb49a4f5f2491ef6606a57d1713362478e18edc2197c5daeaf1e887533999
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PI#EB01122021.exe.log	ASCII text, with CRLF line terminators	D918C6A765EDB90D2A227FE23A3FEC98	8BA802AD8D740F114783F0DADC407CBFD2A209B3	AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\notepad.exe.log	ASCII text, with CRLF line terminators	D918C6A765EDB90D2A227FE23A3FEC98	8BA802AD8D740F114783F0DADC407CBFD2A209B3	AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
C:\Users\user\AppData\Local\Temp\install.vbs	data	85BD3D45C9BAD79506878715B9F6F8F7	CB7570E41A2948557224C1AB4768C9950AA383B8	E04BEC609F113B90252164468F58FD09EA417B3C1BF514E59513CC654F4F4924
C:\Users\user\AppData\Roaming\Remcos\logs.dat	data	AD6AF46844FDDC42C0AD9A72FAEA5B0D	FD06610D74B5CD817C5736A31918124A842900E1	13698B1B5F0B451535568E3F4582762A3077290903FDEC5FA1803433093E9ED4
C:\Users\user\AppData\Roaming\Remcos\notepad.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A6D5CD1E1FF086014A001BBED0D94C42	BCD4CA105885E8C636603002108EC7988B08E406	68BCB49A4F5F2491EF6606A57D1713362478E18EDC2197C5DAEAF1E887533999
C:\Users\user\AppData\Roaming\Remcos\notepad.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report PI#EB01122021.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs