Edit tour

Windows Analysis Report
s0VxndYXq0

Overview

General Information

Sample Name:	s0VxndYXq0 (renamed file extension from none to exe)
Analysis ID:	679299
MD5:	de9784a4f56eaf8affc96754a15a5cd3
SHA1:	35c361a8bfdb894e80fe99728e60ad7d08745af1
SHA256:	f384a96582763be490ea4eeed6d3f10291d7df964f64db077b4d10697149a7da
Tags:	exe
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected Remcos RAT

Antivirus / Scanner detection for submitted sample

Detected Remcos RAT

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Uses ping.exe to check the status of other devices and networks

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Uses ping.exe to sleep

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

s0VxndYXq0.exe (PID: 2732 cmdline: "C:\Users\user\Desktop\s0VxndYXq0.exe" MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

s0VxndYXq0.exe (PID: 3264 cmdline: C:\Users\user\Desktop\s0VxndYXq0.exe MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

cmd.exe (PID: 3704 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\install.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 5088 cmdline: PING 127.0.0.1 -n 2 MD5: 70C24A306F768936563ABDADB9CA9108)

remcos.exe (PID: 3908 cmdline: "C:\Users\user\remcos\remcos.exe" MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

remcos.exe (PID: 1924 cmdline: C:\Users\user\remcos\remcos.exe MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

remcos.exe (PID: 5456 cmdline: C:\Users\user\remcos\remcos.exe MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

remcos.exe (PID: 3572 cmdline: C:\Users\user\remcos\remcos.exe MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

remcos.exe (PID: 5540 cmdline: "C:\Users\user\remcos\remcos.exe" MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

remcos.exe (PID: 5580 cmdline: C:\Users\user\remcos\remcos.exe MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

remcos.exe (PID: 4776 cmdline: "C:\Users\user\remcos\remcos.exe" MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

remcos.exe (PID: 5832 cmdline: C:\Users\user\remcos\remcos.exe MD5: DE9784A4F56EAF8AFFC96754A15A5CD3)

cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "79.134.225.97:8600:123456|", "Assigned name": "Host", "Connect interval": "5", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "User Profile", "Copy file": "remcos.exe", "Startup value": "remcos", "Hide file": "Disable", "Mutex": "remcos_totevzugmgbhhbj", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
s0VxndYXq0.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\remcos\remcos.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x1afb8:$remcos: Remcos 0x1b82c:$remcos: Remcos 0x1b864:$url: Breaking-Security.Net 0x20086:$resource: SETTINGS
00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x72b64:$remcos: Remcos 0x733d8:$remcos: Remcos 0x73410:$url: Breaking-Security.Net 0x77c32:$resource: SETTINGS
00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x2c434:$remcos: Remcos 0x2cca8:$remcos: Remcos 0x43454:$remcos: Remcos 0x43cc8:$remcos: Remcos 0x2cce0:$url: Breaking-Security.Net 0x43d00:$url: Breaking-Security.Net 0x314ea:$resource: SETTINGS 0x4850a:$resource: SETTINGS
0000001C.00000002.365233653.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000002.342391067.0000000002F00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x6f020:$remcos: Remcos 0x6f894:$remcos: Remcos 0x6f8cc:$url: Breaking-Security.Net 0x740ee:$resource: SETTINGS
00000005.00000002.269857625.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000018.00000002.493007691.00000000029B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: s0VxndYXq0.exe PID: 2732	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: s0VxndYXq0.exe PID: 2732	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: s0VxndYXq0.exe PID: 3264	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: remcos.exe PID: 3908	webshell_jsp_generic_base64	Generic JSP webshell with base64 encoded payload	Arnim Rupp	0x12925:$one1: SdW50aW1l 0x13d99:$one1: SdW50aW1l 0x14443:$one1: SdW50aW1l 0x217b2:$one1: SdW50aW1l 0x21e5b:$one1: SdW50aW1l 0x2550f:$one1: SdW50aW1l 0x25bb7:$one1: SdW50aW1l 0x2926b:$one1: SdW50aW1l 0x29913:$one1: SdW50aW1l 0x12ac6:$one3: UnVudGltZ 0x13f3a:$one3: UnVudGltZ 0x21953:$one3: UnVudGltZ 0x256b0:$one3: UnVudGltZ 0x2940c:$one3: UnVudGltZ 0x44ed:$two2: V4ZW 0x6c25:$cjsp_short2: %> 0x6f86:$cjsp_short2: %> 0x46540:$cjsp_long7: < %
Process Memory Space: remcos.exe PID: 3908	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: remcos.exe PID: 3908	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: remcos.exe PID: 5540	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: remcos.exe PID: 3572	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: remcos.exe PID: 5580	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.s0VxndYXq0.exe.452e400.8.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.s0VxndYXq0.exe.452e400.8.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x10738:$s1: \Classes\mscfile\shell\open\command 0x10720:$s2: eventvwr.exe
0.2.s0VxndYXq0.exe.452e400.8.unpack	Remcos_1	Remcos Payload	kevoreilly	0x11034:$name: Remcos 0x118a8:$name: Remcos 0x118fb:$name: REMCOS 0x10688:$time: %02i:%02i:%02i:%03i 0x11320:$time: %02i:%02i:%02i:%03i 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
0.2.s0VxndYXq0.exe.452e400.8.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x11034:$remcos: Remcos 0x118a8:$remcos: Remcos 0x118e0:$url: Breaking-Security.Net 0x160ea:$resource: SETTINGS
0.2.s0VxndYXq0.exe.452e400.8.unpack	REMCOS_RAT_variants	unknown	unknown	0x114dc:$funcs1: autogetofflinelogs 0x114c0:$funcs2: clearlogins 0x114f0:$funcs3: getofflinelogs 0x11578:$funcs4: execcom 0x114cc:$funcs5: deletekeylog 0x11798:$funcs6: remscriptexecd 0x115bc:$funcs7: getwindows 0x10da0:$funcs8: fundlldata 0x10d78:$funcs9: getfunlib 0x107ec:$funcs10: autofflinelogs 0x113b8:$funcs11: getclipboard 0x114b4:$funcs12: getscrslist 0x107e0:$funcs13: offlinelogs 0x105c8:$funcs14: getcamsingleframe 0x116e4:$funcs15: listfiles 0x115e0:$funcs16: getproclist 0x10828:$funcs17: onlinelogs 0x11700:$funcs18: getdrives 0x11784:$funcs19: remscriptsuccess 0x10600:$funcs20: getcamframe 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
0.2.s0VxndYXq0.exe.4545420.9.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.s0VxndYXq0.exe.4545420.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x10738:$s1: \Classes\mscfile\shell\open\command 0x10720:$s2: eventvwr.exe
0.2.s0VxndYXq0.exe.4545420.9.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x11034:$name: Remcos 0x118a8:$name: Remcos 0x118fb:$name: REMCOS 0x10688:$time: %02i:%02i:%02i:%03i 0x11320:$time: %02i:%02i:%02i:%03i 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
0.2.s0VxndYXq0.exe.4545420.9.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x11034:$remcos: Remcos 0x118a8:$remcos: Remcos 0x118e0:$url: Breaking-Security.Net 0x160ea:$resource: SETTINGS
0.2.s0VxndYXq0.exe.4545420.9.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x114dc:$funcs1: autogetofflinelogs 0x114c0:$funcs2: clearlogins 0x114f0:$funcs3: getofflinelogs 0x11578:$funcs4: execcom 0x114cc:$funcs5: deletekeylog 0x11798:$funcs6: remscriptexecd 0x115bc:$funcs7: getwindows 0x10da0:$funcs8: fundlldata 0x10d78:$funcs9: getfunlib 0x107ec:$funcs10: autofflinelogs 0x113b8:$funcs11: getclipboard 0x114b4:$funcs12: getscrslist 0x107e0:$funcs13: offlinelogs 0x105c8:$funcs14: getcamsingleframe 0x116e4:$funcs15: listfiles 0x115e0:$funcs16: getproclist 0x10828:$funcs17: onlinelogs 0x11700:$funcs18: getdrives 0x11784:$funcs19: remscriptsuccess 0x10600:$funcs20: getcamframe 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x2de9c:$s1: \Classes\mscfile\shell\open\command 0x2de84:$s2: eventvwr.exe
0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x2e798:$name: Remcos 0x2f00c:$name: Remcos 0x2f05f:$name: REMCOS 0x2ddec:$time: %02i:%02i:%02i:%03i 0x2ea84:$time: %02i:%02i:%02i:%03i 0x1fbb8:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x2e798:$remcos: Remcos 0x2f00c:$remcos: Remcos 0x2f044:$url: Breaking-Security.Net 0x33866:$resource: SETTINGS
0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x2ec40:$funcs1: autogetofflinelogs 0x2ec24:$funcs2: clearlogins 0x2ec54:$funcs3: getofflinelogs 0x2ecdc:$funcs4: execcom 0x2ec30:$funcs5: deletekeylog 0x2eefc:$funcs6: remscriptexecd 0x2ed20:$funcs7: getwindows 0x2e504:$funcs8: fundlldata 0x2e4dc:$funcs9: getfunlib 0x2df50:$funcs10: autofflinelogs 0x2eb1c:$funcs11: getclipboard 0x2ec18:$funcs12: getscrslist 0x2df44:$funcs13: offlinelogs 0x2dd2c:$funcs14: getcamsingleframe 0x2ee48:$funcs15: listfiles 0x2ed44:$funcs16: getproclist 0x2df8c:$funcs17: onlinelogs 0x2ee64:$funcs18: getdrives 0x2eee8:$funcs19: remscriptsuccess 0x2dd64:$funcs20: getcamframe 0x2e8c0:$str_a1: C:\Windows\System32\cmd.exe
9.2.remcos.exe.2bab5e4.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.remcos.exe.2bab5e4.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x3dc84:$s1: \Classes\mscfile\shell\open\command 0x3dc6c:$s2: eventvwr.exe
9.2.remcos.exe.2bab5e4.3.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x3e580:$name: Remcos 0x3edf4:$name: Remcos 0x3ee47:$name: REMCOS 0x3dbd4:$time: %02i:%02i:%02i:%03i 0x3e86c:$time: %02i:%02i:%02i:%03i 0x2f9a0:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
9.2.remcos.exe.2bab5e4.3.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x3e580:$remcos: Remcos 0x3edf4:$remcos: Remcos 0x3ee2c:$url: Breaking-Security.Net 0x4364e:$resource: SETTINGS
9.2.remcos.exe.2bab5e4.3.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x3ea28:$funcs1: autogetofflinelogs 0x3ea0c:$funcs2: clearlogins 0x3ea3c:$funcs3: getofflinelogs 0x3eac4:$funcs4: execcom 0x3ea18:$funcs5: deletekeylog 0x3ece4:$funcs6: remscriptexecd 0x3eb08:$funcs7: getwindows 0x3e2ec:$funcs8: fundlldata 0x3e2c4:$funcs9: getfunlib 0x3dd38:$funcs10: autofflinelogs 0x3e904:$funcs11: getclipboard 0x3ea00:$funcs12: getscrslist 0x3dd2c:$funcs13: offlinelogs 0x3db14:$funcs14: getcamsingleframe 0x3ec30:$funcs15: listfiles 0x3eb2c:$funcs16: getproclist 0x3dd74:$funcs17: onlinelogs 0x3ec4c:$funcs18: getdrives 0x3ecd0:$funcs19: remscriptsuccess 0x3db4c:$funcs20: getcamframe 0x3e6a8:$str_a1: C:\Windows\System32\cmd.exe
0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x43574:$s1: \Classes\mscfile\shell\open\command 0x4355c:$s2: eventvwr.exe
0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x43e70:$name: Remcos 0x446e4:$name: Remcos 0x44737:$name: REMCOS 0x434c4:$time: %02i:%02i:%02i:%03i 0x4415c:$time: %02i:%02i:%02i:%03i 0x35290:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x43e70:$remcos: Remcos 0x446e4:$remcos: Remcos 0x4471c:$url: Breaking-Security.Net 0x48f3e:$resource: SETTINGS
0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x44318:$funcs1: autogetofflinelogs 0x442fc:$funcs2: clearlogins 0x4432c:$funcs3: getofflinelogs 0x443b4:$funcs4: execcom 0x44308:$funcs5: deletekeylog 0x445d4:$funcs6: remscriptexecd 0x443f8:$funcs7: getwindows 0x43bdc:$funcs8: fundlldata 0x43bb4:$funcs9: getfunlib 0x43628:$funcs10: autofflinelogs 0x441f4:$funcs11: getclipboard 0x442f0:$funcs12: getscrslist 0x4361c:$funcs13: offlinelogs 0x43404:$funcs14: getcamsingleframe 0x44520:$funcs15: listfiles 0x4441c:$funcs16: getproclist 0x43664:$funcs17: onlinelogs 0x4453c:$funcs18: getdrives 0x445c0:$funcs19: remscriptsuccess 0x4343c:$funcs20: getcamframe 0x43f98:$str_a1: C:\Windows\System32\cmd.exe
0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x3a0e8:$s1: \Classes\mscfile\shell\open\command 0x3a0d0:$s2: eventvwr.exe
0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x3a9e4:$name: Remcos 0x3b258:$name: Remcos 0x3b2ab:$name: REMCOS 0x3a038:$time: %02i:%02i:%02i:%03i 0x3acd0:$time: %02i:%02i:%02i:%03i 0x2be04:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x3a9e4:$remcos: Remcos 0x3b258:$remcos: Remcos 0x3b290:$url: Breaking-Security.Net 0x3fab2:$resource: SETTINGS
0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x3ae8c:$funcs1: autogetofflinelogs 0x3ae70:$funcs2: clearlogins 0x3aea0:$funcs3: getofflinelogs 0x3af28:$funcs4: execcom 0x3ae7c:$funcs5: deletekeylog 0x3b148:$funcs6: remscriptexecd 0x3af6c:$funcs7: getwindows 0x3a750:$funcs8: fundlldata 0x3a728:$funcs9: getfunlib 0x3a19c:$funcs10: autofflinelogs 0x3ad68:$funcs11: getclipboard 0x3ae64:$funcs12: getscrslist 0x3a190:$funcs13: offlinelogs 0x39f78:$funcs14: getcamsingleframe 0x3b094:$funcs15: listfiles 0x3af90:$funcs16: getproclist 0x3a1d8:$funcs17: onlinelogs 0x3b0b0:$funcs18: getdrives 0x3b134:$funcs19: remscriptsuccess 0x39fb0:$funcs20: getcamframe 0x3ab0c:$str_a1: C:\Windows\System32\cmd.exe
9.2.remcos.exe.2bb7830.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.remcos.exe.2bb7830.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x31a38:$s1: \Classes\mscfile\shell\open\command 0x31a20:$s2: eventvwr.exe
9.2.remcos.exe.2bb7830.2.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x32334:$name: Remcos 0x32ba8:$name: Remcos 0x32bfb:$name: REMCOS 0x31988:$time: %02i:%02i:%02i:%03i 0x32620:$time: %02i:%02i:%02i:%03i 0x23754:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
9.2.remcos.exe.2bb7830.2.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x32334:$remcos: Remcos 0x32ba8:$remcos: Remcos 0x32be0:$url: Breaking-Security.Net 0x37402:$resource: SETTINGS
9.2.remcos.exe.2bb7830.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x327dc:$funcs1: autogetofflinelogs 0x327c0:$funcs2: clearlogins 0x327f0:$funcs3: getofflinelogs 0x32878:$funcs4: execcom 0x327cc:$funcs5: deletekeylog 0x32a98:$funcs6: remscriptexecd 0x328bc:$funcs7: getwindows 0x320a0:$funcs8: fundlldata 0x32078:$funcs9: getfunlib 0x31aec:$funcs10: autofflinelogs 0x326b8:$funcs11: getclipboard 0x327b4:$funcs12: getscrslist 0x31ae0:$funcs13: offlinelogs 0x318c8:$funcs14: getcamsingleframe 0x329e4:$funcs15: listfiles 0x328e0:$funcs16: getproclist 0x31b28:$funcs17: onlinelogs 0x32a00:$funcs18: getdrives 0x32a84:$funcs19: remscriptsuccess 0x31900:$funcs20: getcamframe 0x3245c:$str_a1: C:\Windows\System32\cmd.exe
5.0.s0VxndYXq0.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
5.0.s0VxndYXq0.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x10738:$s1: \Classes\mscfile\shell\open\command 0x10720:$s2: eventvwr.exe
5.0.s0VxndYXq0.exe.400000.0.unpack	Remcos_1	Remcos Payload	kevoreilly	0x11034:$name: Remcos 0x118a8:$name: Remcos 0x118fb:$name: REMCOS 0x10688:$time: %02i:%02i:%02i:%03i 0x11320:$time: %02i:%02i:%02i:%03i 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
5.0.s0VxndYXq0.exe.400000.0.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x11034:$remcos: Remcos 0x118a8:$remcos: Remcos 0x118e0:$url: Breaking-Security.Net 0x160ea:$resource: SETTINGS
5.0.s0VxndYXq0.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x114dc:$funcs1: autogetofflinelogs 0x114c0:$funcs2: clearlogins 0x114f0:$funcs3: getofflinelogs 0x11578:$funcs4: execcom 0x114cc:$funcs5: deletekeylog 0x11798:$funcs6: remscriptexecd 0x115bc:$funcs7: getwindows 0x10da0:$funcs8: fundlldata 0x10d78:$funcs9: getfunlib 0x107ec:$funcs10: autofflinelogs 0x113b8:$funcs11: getclipboard 0x114b4:$funcs12: getscrslist 0x107e0:$funcs13: offlinelogs 0x105c8:$funcs14: getcamsingleframe 0x116e4:$funcs15: listfiles 0x115e0:$funcs16: getproclist 0x10828:$funcs17: onlinelogs 0x11700:$funcs18: getdrives 0x11784:$funcs19: remscriptsuccess 0x10600:$funcs20: getcamframe 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
0.2.s0VxndYXq0.exe.452e400.8.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.s0VxndYXq0.exe.452e400.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x10738:$s1: \Classes\mscfile\shell\open\command 0x27758:$s1: \Classes\mscfile\shell\open\command 0x10720:$s2: eventvwr.exe 0x27740:$s2: eventvwr.exe
0.2.s0VxndYXq0.exe.452e400.8.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x11034:$name: Remcos 0x118a8:$name: Remcos 0x118fb:$name: REMCOS 0x28054:$name: Remcos 0x288c8:$name: Remcos 0x2891b:$name: REMCOS 0x10688:$time: %02i:%02i:%02i:%03i 0x11320:$time: %02i:%02i:%02i:%03i 0x276a8:$time: %02i:%02i:%02i:%03i 0x28340:$time: %02i:%02i:%02i:%03i 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72 0x19a1c:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
0.2.s0VxndYXq0.exe.452e400.8.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x11034:$remcos: Remcos 0x118a8:$remcos: Remcos 0x28054:$remcos: Remcos 0x288c8:$remcos: Remcos 0x118e0:$url: Breaking-Security.Net 0x28900:$url: Breaking-Security.Net 0x160ea:$resource: SETTINGS 0x2d10a:$resource: SETTINGS
0.2.s0VxndYXq0.exe.452e400.8.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x114dc:$funcs1: autogetofflinelogs 0x284fc:$funcs1: autogetofflinelogs 0x114c0:$funcs2: clearlogins 0x284e0:$funcs2: clearlogins 0x114f0:$funcs3: getofflinelogs 0x28510:$funcs3: getofflinelogs 0x11578:$funcs4: execcom 0x28598:$funcs4: execcom 0x114cc:$funcs5: deletekeylog 0x284ec:$funcs5: deletekeylog 0x11798:$funcs6: remscriptexecd 0x287b8:$funcs6: remscriptexecd 0x115bc:$funcs7: getwindows 0x285dc:$funcs7: getwindows 0x10da0:$funcs8: fundlldata 0x27dc0:$funcs8: fundlldata 0x10d78:$funcs9: getfunlib 0x27d98:$funcs9: getfunlib 0x107ec:$funcs10: autofflinelogs 0x2780c:$funcs10: autofflinelogs 0x113b8:$funcs11: getclipboard
0.2.s0VxndYXq0.exe.4545420.9.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.s0VxndYXq0.exe.4545420.9.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x10738:$s1: \Classes\mscfile\shell\open\command 0x10720:$s2: eventvwr.exe
0.2.s0VxndYXq0.exe.4545420.9.unpack	Remcos_1	Remcos Payload	kevoreilly	0x11034:$name: Remcos 0x118a8:$name: Remcos 0x118fb:$name: REMCOS 0x10688:$time: %02i:%02i:%02i:%03i 0x11320:$time: %02i:%02i:%02i:%03i 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
0.2.s0VxndYXq0.exe.4545420.9.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x11034:$remcos: Remcos 0x118a8:$remcos: Remcos 0x118e0:$url: Breaking-Security.Net 0x160ea:$resource: SETTINGS
0.2.s0VxndYXq0.exe.4545420.9.unpack	REMCOS_RAT_variants	unknown	unknown	0x114dc:$funcs1: autogetofflinelogs 0x114c0:$funcs2: clearlogins 0x114f0:$funcs3: getofflinelogs 0x11578:$funcs4: execcom 0x114cc:$funcs5: deletekeylog 0x11798:$funcs6: remscriptexecd 0x115bc:$funcs7: getwindows 0x10da0:$funcs8: fundlldata 0x10d78:$funcs9: getfunlib 0x107ec:$funcs10: autofflinelogs 0x113b8:$funcs11: getclipboard 0x114b4:$funcs12: getscrslist 0x107e0:$funcs13: offlinelogs 0x105c8:$funcs14: getcamsingleframe 0x116e4:$funcs15: listfiles 0x115e0:$funcs16: getproclist 0x10828:$funcs17: onlinelogs 0x11700:$funcs18: getdrives 0x11784:$funcs19: remscriptsuccess 0x10600:$funcs20: getcamframe 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
9.2.remcos.exe.2ba2158.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.remcos.exe.2ba2158.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x47110:$s1: \Classes\mscfile\shell\open\command 0x470f8:$s2: eventvwr.exe
9.2.remcos.exe.2ba2158.1.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x47a0c:$name: Remcos 0x48280:$name: Remcos 0x482d3:$name: REMCOS 0x47060:$time: %02i:%02i:%02i:%03i 0x47cf8:$time: %02i:%02i:%02i:%03i 0x38e2c:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
9.2.remcos.exe.2ba2158.1.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x47a0c:$remcos: Remcos 0x48280:$remcos: Remcos 0x482b8:$url: Breaking-Security.Net 0x4cada:$resource: SETTINGS
9.2.remcos.exe.2ba2158.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x47eb4:$funcs1: autogetofflinelogs 0x47e98:$funcs2: clearlogins 0x47ec8:$funcs3: getofflinelogs 0x47f50:$funcs4: execcom 0x47ea4:$funcs5: deletekeylog 0x48170:$funcs6: remscriptexecd 0x47f94:$funcs7: getwindows 0x47778:$funcs8: fundlldata 0x47750:$funcs9: getfunlib 0x471c4:$funcs10: autofflinelogs 0x47d90:$funcs11: getclipboard 0x47e8c:$funcs12: getscrslist 0x471b8:$funcs13: offlinelogs 0x46fa0:$funcs14: getcamsingleframe 0x480bc:$funcs15: listfiles 0x47fb8:$funcs16: getproclist 0x47200:$funcs17: onlinelogs 0x480d8:$funcs18: getdrives 0x4815c:$funcs19: remscriptsuccess 0x46fd8:$funcs20: getcamframe 0x47b34:$str_a1: C:\Windows\System32\cmd.exe
0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x2b958:$s1: \Classes\mscfile\shell\open\command 0x42978:$s1: \Classes\mscfile\shell\open\command 0x2b940:$s2: eventvwr.exe 0x42960:$s2: eventvwr.exe
0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack	Remcos_1	Remcos Payload	kevoreilly	0x2c254:$name: Remcos 0x2cac8:$name: Remcos 0x2cb1b:$name: REMCOS 0x43274:$name: Remcos 0x43ae8:$name: Remcos 0x43b3b:$name: REMCOS 0x2b8a8:$time: %02i:%02i:%02i:%03i 0x2c540:$time: %02i:%02i:%02i:%03i 0x428c8:$time: %02i:%02i:%02i:%03i 0x43560:$time: %02i:%02i:%02i:%03i 0x1dc1c:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72 0x34c3c:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack	Remcos	detect Remcos in memory	JPCERT/CC Incident Response Group	0x2c254:$remcos: Remcos 0x2cac8:$remcos: Remcos 0x43274:$remcos: Remcos 0x43ae8:$remcos: Remcos 0x2cb00:$url: Breaking-Security.Net 0x43b20:$url: Breaking-Security.Net 0x3130a:$resource: SETTINGS 0x4832a:$resource: SETTINGS
0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x2c6fc:$funcs1: autogetofflinelogs 0x4371c:$funcs1: autogetofflinelogs 0x2c6e0:$funcs2: clearlogins 0x43700:$funcs2: clearlogins 0x2c710:$funcs3: getofflinelogs 0x43730:$funcs3: getofflinelogs 0x2c798:$funcs4: execcom 0x437b8:$funcs4: execcom 0x2c6ec:$funcs5: deletekeylog 0x4370c:$funcs5: deletekeylog 0x2c9b8:$funcs6: remscriptexecd 0x439d8:$funcs6: remscriptexecd 0x2c7dc:$funcs7: getwindows 0x437fc:$funcs7: getwindows 0x2bfc0:$funcs8: fundlldata 0x42fe0:$funcs8: fundlldata 0x2bf98:$funcs9: getfunlib 0x42fb8:$funcs9: getfunlib 0x2ba0c:$funcs10: autofflinelogs 0x42a2c:$funcs10: autofflinelogs 0x2c5d8:$funcs11: getclipboard
0.0.s0VxndYXq0.exe.550000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Click to see the 56 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: s0VxndYXq0.exe	Virustotal: Detection: 53%			Perma Link
Source: s0VxndYXq0.exe	ReversingLabs: Detection: 53%

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.365233653.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.342391067.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.269857625.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.493007691.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 2732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 3264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 5540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 5580, type: MEMORYSTR

Antivirus / Scanner detection for submitted sample

Source: s0VxndYXq0.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\remcos\remcos.exe

Avira: detection malicious, Label: TR/Kryptik.wodao

Multi AV Scanner detection for dropped file

Source: C:\Users\user\remcos\remcos.exe

ReversingLabs: Detection: 53%

Machine Learning detection for sample

Source: s0VxndYXq0.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\remcos\remcos.exe

Joe Sandbox ML: detected

Source: 0000001C.00000002.365233653.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "79.134.225.97:8600:123456|", "Assigned name": "Host", "Connect interval": "5", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "User Profile", "Copy file": "remcos.exe", "Startup value": "remcos", "Hide file": "Disable", "Mutex": "remcos_totevzugmgbhhbj", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "remcos"}

Source: s0VxndYXq0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: s0VxndYXq0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2

Yara detected Generic Downloader

Source: Yara match	File source: s0VxndYXq0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.s0VxndYXq0.exe.550000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\remcos\remcos.exe, type: DROPPED

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 79.134.225.97

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: Joe Sandbox View

IP Address: 79.134.225.97 79.134.225.97

Source: global traffic

TCP traffic: 192.168.2.4:49765 -> 79.134.225.97:8600

Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.97

Source: s0VxndYXq0.exe, remcos.exe.5.dr	String found in binary or memory: http://bit.ly/unCoIY?http://lolnotes-
Source: s0VxndYXq0.exe, remcos.exe.5.dr	String found in binary or memory: http://bladecoding.com/lolnotes/leagueofstats.php?name=
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: s0VxndYXq0.exe, 00000000.00000003.243809889.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.243932808.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.243586194.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244127013.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244021936.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.243771965.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.243848246.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244328823.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244234942.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.249288953.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.274138797.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agfamonotype.cw
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244188865.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.274032296.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244610211.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244375972.0000000005AED000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.264248405.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF
Source: s0VxndYXq0.exe, 00000000.00000003.237525657.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238027244.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237981073.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238107631.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238027244.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238027244.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: s0VxndYXq0.exe, 00000000.00000003.237791179.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237771360.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237819421.0000000005B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersF
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: s0VxndYXq0.exe, 00000000.00000003.237710320.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersP
Source: s0VxndYXq0.exe, 00000000.00000003.238476266.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238443260.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersa
Source: s0VxndYXq0.exe, 00000000.00000003.244079552.0000000005B1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designerse
Source: s0VxndYXq0.exe, 00000000.00000003.237791179.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237910949.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237771360.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237851832.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237819421.0000000005B1E000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237952730.0000000005B1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designerses-es_tradnlw
Source: s0VxndYXq0.exe, 00000000.00000003.244112658.0000000005B1C000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244079552.0000000005B1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designerst
Source: s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com7
Source: s0VxndYXq0.exe, 00000000.00000003.244188865.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244610211.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244375972.0000000005AED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalsF
Source: s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalsR
Source: s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalsk
Source: s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: s0VxndYXq0.exe, 00000000.00000003.244188865.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244610211.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244375972.0000000005AED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comictav
Source: s0VxndYXq0.exe, 00000000.00000003.244188865.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244610211.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244375972.0000000005AED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236394837.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: s0VxndYXq0.exe, 00000000.00000003.236244264.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/%
Source: s0VxndYXq0.exe, 00000000.00000003.236244264.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236394837.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y
Source: s0VxndYXq0.exe, 00000000.00000003.236244264.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236394837.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: s0VxndYXq0.exe, 00000000.00000003.236244264.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236394837.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/l-g
Source: s0VxndYXq0.exe, remcos.exe.5.dr	String found in binary or memory: http://www.lolking.net/summoner/
Source: s0VxndYXq0.exe, 00000000.00000003.237033632.0000000005B1E000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237070417.0000000005B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.Wb
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: s0VxndYXq0.exe, remcos.exe.5.dr	String found in binary or memory: https://github.com/high6/LoLNotes
Source: s0VxndYXq0.exe, remcos.exe.5.dr	String found in binary or memory: https://raw.github.com/bladecoding/LoLNotes/master/General.txtO

Source: remcos.exe, 00000009.00000002.322144849.0000000000D1B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.365233653.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.342391067.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.269857625.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.493007691.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 2732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 3264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 5540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 5580, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group

Source: s0VxndYXq0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: Process Memory Space: remcos.exe PID: 3908, type: MEMORYSTR	Matched rule: webshell_jsp_generic_base64 date = 2021/01/24, author = Arnim Rupp, description = Generic JSP webshell with base64 encoded payload, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 1b916afdd415dfa4e77cecf47321fd676ba2184d

Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Code function: 0_2_029DE4FC
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Code function: 0_2_075A53C0
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Code function: 0_2_075A6988
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Code function: 0_2_075AA3B8
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Code function: 0_2_075A53B0
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_00F8E4FC
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_07006988
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_070053C0
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0700A3B8
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_070053B0
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0ADCC078
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0ADCC6E0
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0ADC21F0
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0ADC21E1
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0AEE7AA0
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0AEE0040
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0AEE0039
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0AEE8CF0

Source: s0VxndYXq0.exe, 00000000.00000002.276887769.00000000075C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePlates.dll4 vs s0VxndYXq0.exe
Source: s0VxndYXq0.exe, 00000000.00000002.267398551.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs s0VxndYXq0.exe
Source: s0VxndYXq0.exe, 00000000.00000002.267211444.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFroor.dll4 vs s0VxndYXq0.exe
Source: s0VxndYXq0.exe, 00000000.00000003.253119443.00000000088CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePlates.dll4 vs s0VxndYXq0.exe
Source: s0VxndYXq0.exe, 00000000.00000000.224015352.0000000000552000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameChannelServicesD.exe2 vs s0VxndYXq0.exe
Source: s0VxndYXq0.exe, 00000000.00000002.278244309.000000000B4F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSchedulingClerk.dll. vs s0VxndYXq0.exe
Source: s0VxndYXq0.exe, 00000000.00000002.268898105.0000000004279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSchedulingClerk.dll. vs s0VxndYXq0.exe
Source: s0VxndYXq0.exe, 00000005.00000003.263421070.000000000111B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameChannelServicesD.exe2 vs s0VxndYXq0.exe
Source: s0VxndYXq0.exe	Binary or memory string: OriginalFilenameChannelServicesD.exe2 vs s0VxndYXq0.exe

Source: s0VxndYXq0.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: remcos.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: s0VxndYXq0.exe	Virustotal: Detection: 53%
Source: s0VxndYXq0.exe	ReversingLabs: Detection: 53%

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

File read: C:\Users\user\Desktop\s0VxndYXq0.exe

Jump to behavior

Source: s0VxndYXq0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\s0VxndYXq0.exe "C:\Users\user\Desktop\s0VxndYXq0.exe"
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process created: C:\Users\user\Desktop\s0VxndYXq0.exe C:\Users\user\Desktop\s0VxndYXq0.exe
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\install.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\remcos\remcos.exe "C:\Users\user\remcos\remcos.exe"
Source: unknown	Process created: C:\Users\user\remcos\remcos.exe "C:\Users\user\remcos\remcos.exe"
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: unknown	Process created: C:\Users\user\remcos\remcos.exe "C:\Users\user\remcos\remcos.exe"
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process created: C:\Users\user\Desktop\s0VxndYXq0.exe C:\Users\user\Desktop\s0VxndYXq0.exe
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\install.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\remcos\remcos.exe "C:\Users\user\remcos\remcos.exe"
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\s0VxndYXq0.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

File created: C:\Users\user\AppData\Local\Temp\install.bat

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@23/5@0/2

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: s0VxndYXq0.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\remcos\remcos.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\remcos\remcos.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\remcos\remcos.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\remcos\remcos.exe	Mutant created: \Sessions\1\BaseNamedObjects\remcos_totevzugmgbhhbj
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3708:120:WilError_01

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\install.bat" "

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: s0VxndYXq0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: s0VxndYXq0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_07004C20 pushfd ; iretd
Source: C:\Users\user\remcos\remcos.exe	Code function: 9_2_0ADC5FAC push edx; ret

Source: initial sample	Static PE information: section name: .text entropy: 7.366377921746369
Source: initial sample	Static PE information: section name: .text entropy: 7.366377921746369

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

File created: C:\Users\user\remcos\remcos.exe

Jump to dropped file

Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run remcos			Jump to behavior
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run remcos			Jump to behavior

Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 2732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3908, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: s0VxndYXq0.exe, 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000005.00000002.268992522.0000000000410000.00000040.00000400.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.351006623.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000016.00000002.374683263.000000000336D000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000001A.00000002.341382253.0000000000410000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: remcos.exe, 0000001A.00000002.341382253.0000000000410000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: D/PD/P`\YISBIEDLL.DLL
Source: s0VxndYXq0.exe, 00000005.00000002.268992522.0000000000410000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: D/PD/P`\COSBIEDLL.DLL
Source: s0VxndYXq0.exe, 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2

Source: C:\Users\user\Desktop\s0VxndYXq0.exe TID: 4288	Thread sleep time: -45877s >= -30000s
Source: C:\Users\user\Desktop\s0VxndYXq0.exe TID: 1400	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\remcos\remcos.exe TID: 2960	Thread sleep time: -45877s >= -30000s
Source: C:\Users\user\remcos\remcos.exe TID: 3584	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\remcos\remcos.exe TID: 5536	Thread sleep time: -45877s >= -30000s
Source: C:\Users\user\remcos\remcos.exe TID: 2860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\remcos\remcos.exe TID: 3656	Thread sleep time: -45877s >= -30000s
Source: C:\Users\user\remcos\remcos.exe TID: 5752	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\remcos\remcos.exe TID: 2188	Thread sleep time: -50000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\remcos\remcos.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\remcos\remcos.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Thread delayed: delay time: 45877
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 45877
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 45877
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 45877
Source: C:\Users\user\remcos\remcos.exe	Thread delayed: delay time: 922337203685477

Source: s0VxndYXq0.exe, 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000005.00000002.268992522.0000000000410000.00000040.00000400.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000001A.00000002.341382253.0000000000410000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: s0VxndYXq0.exe, 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000005.00000002.268992522.0000000000410000.00000040.00000400.00020000.00000000.sdmp, remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000001A.00000002.341382253.0000000000410000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: @HARDWARE\ACPI\DSDT\VBOX__PROCMON_WINDOW_CLASSPROCEXPL21invalid vector<T> subscript?playaudiodatafmt WAVERIFF.wav%Y-%m-%d %H.%MgetcamsingleframenocamerastartcamcapclosecamgetcamframeinitcamcapFreeFrameGetFrameCloseCameraOpenCameracamdlldatacamframe\|dmc\|[DataStart][DataStart]0000%02i:%02i:%02i:%03i [KeepAlive] Enabled! (Timeout: %i seconds)
Source: remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\remcos\remcos.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Memory written: C:\Users\user\Desktop\s0VxndYXq0.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\remcos\remcos.exe	Memory written: C:\Users\user\remcos\remcos.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\remcos\remcos.exe	Memory written: C:\Users\user\remcos\remcos.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process created: C:\Users\user\Desktop\s0VxndYXq0.exe C:\Users\user\Desktop\s0VxndYXq0.exe
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\install.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\remcos\remcos.exe "C:\Users\user\remcos\remcos.exe"
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe
Source: C:\Users\user\remcos\remcos.exe	Process created: C:\Users\user\remcos\remcos.exe C:\Users\user\remcos\remcos.exe

Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Users\user\Desktop\s0VxndYXq0.exe VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\s0VxndYXq0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Users\user\remcos\remcos.exe VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Users\user\remcos\remcos.exe VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Users\user\remcos\remcos.exe VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\s0VxndYXq0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.365233653.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.342391067.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.269857625.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.493007691.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 2732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 3264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 5540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 5580, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.s0VxndYXq0.exe.452e400.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.4545420.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d17888.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2bab5e4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d021b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.2d0b63c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2bb7830.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.s0VxndYXq0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.452e400.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.4545420.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.remcos.exe.2ba2158.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.s0VxndYXq0.exe.45131e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.365233653.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.342391067.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.269857625.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.493007691.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 2732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: s0VxndYXq0.exe PID: 3264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 5540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 3572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 5580, type: MEMORYSTR

Detected Remcos RAT

Source: s0VxndYXq0.exe, 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: s0VxndYXq0.exe, 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
Source: s0VxndYXq0.exe, 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: s0VxndYXq0.exe, 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
Source: s0VxndYXq0.exe, 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: s0VxndYXq0.exe, 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
Source: remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: remcos.exe, 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
Source: remcos.exe, 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: remcos.exe, 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
Source: remcos.exe, 0000001C.00000002.367697487.0000000000E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Remcos_Mutex_Injser

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Masquerading	1 Input Capture	21 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Scripting	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Software Packing	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
s0VxndYXq0.exe	54%	Virustotal		Browse
s0VxndYXq0.exe	54%	ReversingLabs	ByteCode-MSIL.Trojan.Woreflint
s0VxndYXq0.exe	100%	Avira	TR/Kryptik.wodao
s0VxndYXq0.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\remcos\remcos.exe	100%	Avira	TR/Kryptik.wodao
C:\Users\user\remcos\remcos.exe	100%	Joe Sandbox ML
C:\Users\user\remcos\remcos.exe	54%	ReversingLabs	ByteCode-MSIL.Trojan.Woreflint

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.s0VxndYXq0.exe.452e400.8.unpack	100%	Avira	HEUR/AGEN.1219514	Download File
5.0.s0VxndYXq0.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1219514	Download File
0.2.s0VxndYXq0.exe.4545420.9.unpack	100%	Avira	HEUR/AGEN.1219514	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://bladecoding.com/lolnotes/leagueofstats.php?name=	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.comalsR	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
79.134.225.97	3%	Virustotal		Browse
79.134.225.97	0%	Avira URL Cloud	safe
http://www.agfamonotype.cw	0%	Avira URL Cloud	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fontbureau.comictav	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/%	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.fontbureau.com7	0%	Avira URL Cloud	safe
http://www.fontbureau.comalsk	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.com.TTF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/l-g	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.monotype.Wb	0%	Avira URL Cloud	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
79.134.225.97	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bladecoding.com/lolnotes/leagueofstats.php?name=	s0VxndYXq0.exe, remcos.exe.5.dr	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersF	s0VxndYXq0.exe, 00000000.00000003.237791179.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237771360.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237819421.0000000005B1E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.lolking.net/summoner/	s0VxndYXq0.exe, remcos.exe.5.dr	false		high
http://www.fontbureau.comalsR	s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	s0VxndYXq0.exe, 00000000.00000003.237525657.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238027244.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comessed	s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersP	s0VxndYXq0.exe, 00000000.00000003.237710320.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.agfamonotype.cw	s0VxndYXq0.exe, 00000000.00000003.243809889.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.243932808.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.243586194.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244127013.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244021936.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.243771965.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.243848246.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244328823.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244234942.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.249288953.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.274138797.0000000005B2A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comalsF	s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersa	s0VxndYXq0.exe, 00000000.00000003.238476266.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238443260.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designerse	s0VxndYXq0.exe, 00000000.00000003.244079552.0000000005B1C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comictav	s0VxndYXq0.exe, 00000000.00000003.244188865.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244610211.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244375972.0000000005AED000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/%	s0VxndYXq0.exe, 00000000.00000003.236244264.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com7	s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comalsk	s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com.TTF	s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designerst	s0VxndYXq0.exe, 00000000.00000003.244112658.0000000005B1C000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244079552.0000000005B1C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/l-g	s0VxndYXq0.exe, 00000000.00000003.236244264.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236394837.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y	s0VxndYXq0.exe, 00000000.00000003.236244264.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236394837.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244188865.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.274032296.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244610211.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244375972.0000000005AED000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.264248405.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://raw.github.com/bladecoding/LoLNotes/master/General.txtO	s0VxndYXq0.exe, remcos.exe.5.dr	false		high
http://www.jiyu-kobo.co.jp/jp/	s0VxndYXq0.exe, 00000000.00000003.236244264.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236394837.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.coma	s0VxndYXq0.exe, 00000000.00000003.244188865.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244610211.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244375972.0000000005AED000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designerses-es_tradnlw	s0VxndYXq0.exe, 00000000.00000003.237791179.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237910949.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237771360.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237851832.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237819421.0000000005B1E000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237952730.0000000005B1E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comd	s0VxndYXq0.exe, 00000000.00000003.238946519.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/high6/LoLNotes	s0VxndYXq0.exe, remcos.exe.5.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237981073.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238107631.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238027244.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.monotype.Wb	s0VxndYXq0.exe, 00000000.00000003.237033632.0000000005B1E000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.237070417.0000000005B20000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comm	s0VxndYXq0.exe, 00000000.00000003.244188865.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244610211.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.244375972.0000000005AED000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	s0VxndYXq0.exe, 00000000.00000003.236102854.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.236394837.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://bit.ly/unCoIY?http://lolnotes-	s0VxndYXq0.exe, remcos.exe.5.dr	false		high
http://www.fontbureau.com/designers8	s0VxndYXq0.exe, 00000000.00000002.274487686.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, s0VxndYXq0.exe, 00000000.00000003.238027244.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.97	unknown	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679299
Start date and time: 05/08/202214:59:08	2022-08-05 14:59:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 27s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	s0VxndYXq0 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@23/5@0/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 92% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:00:21	API Interceptor	2x Sleep call for process: s0VxndYXq0.exe modified
15:00:30	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run remcos "C:\Users\user\remcos\remcos.exe"
15:00:39	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run remcos "C:\Users\user\remcos\remcos.exe"
15:00:43	API Interceptor	6x Sleep call for process: remcos.exe modified

Process:	C:\Users\user\remcos\remcos.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\s0VxndYXq0.exe.log

Download File

Process:	C:\Users\user\Desktop\s0VxndYXq0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\install.bat

Download File

Process:	C:\Users\user\Desktop\s0VxndYXq0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	83
Entropy (8bit):	4.660536268409599
Encrypted:	false
SSDEEP:	3:cQxCvfn9m1t+CQHovBkwbM2n:cQ2fE1wCSovKwo2n
MD5:	F153731DF7A038F42AAA8D34E873FF25
SHA1:	1C90ACC2243D0DBEDEB28A8F7F719E605D80894D
SHA-256:	BC24BC26EE03AE15EE552CADF887C9FC201D19D76944321883E5C818D0E8A4AF
SHA-512:	F16A79B8A04E90B7B8F43D3001D51FDDDDC07B8D117D1CF978C35C96DDFFD161E6901DA5446EB42758DC980FC79ADC8BCA1B5DA640AB294BD24A8944FF0D01CA
Malicious:	false
Preview:	PING 127.0.0.1 -n 2 ..start "" "C:\Users\user\remcos\remcos.exe"..del %0 ..exit ..

C:\Users\user\remcos\remcos.exe

Download File

Process:	C:\Users\user\Desktop\s0VxndYXq0.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	950272
Entropy (8bit):	7.359178629458712
Encrypted:	false
SSDEEP:	12288:4Rb0kj3oTB2b2UVFdPBGjIKHfrLPVPf1cLlq+R3rU8weZd+ydGRuwJGdaTuM18N5:4RA0siGjIKHf/NH1eFR7U8wWkTRk
MD5:	DE9784A4F56EAF8AFFC96754A15A5CD3
SHA1:	35C361A8BFDB894E80FE99728E60AD7D08745AF1
SHA-256:	F384A96582763BE490EA4EEED6D3F10291D7DF964F64DB077B4D10697149A7DA
SHA-512:	8576E0ED22421F70350A1108129E6DFA0190335724561CA5093E22A8CEB2E6AD0D61DB77A86C4603C60F4627C091D576B9174DAA2C0545D9D1E032502BC19E3E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\remcos\remcos.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 54%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.b..............0..`..........n~... ........@.. ....................................@..................................~..W.................................................................................... ............... ..H............text...t^... ...`.................. ..`.rsrc................b..............@..@.reloc...............~..............@..B................P~......H........E..\|8......+...X...@E............................................U.....U..`.E.f.8.u...3..f9H.u..@.....a.........0..............0...........(......0...........(......0...........(......0..<........(#.......(.......(.......(........(........(........(......0...........{......0............}.....0...........{......0............}.....0...........{......0............}.....0...........{......0............}.....0...........{......0............}....*.0..........

C:\Users\user\remcos\remcos.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\s0VxndYXq0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.359178629458712
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	s0VxndYXq0.exe
File size:	950272
MD5:	de9784a4f56eaf8affc96754a15a5cd3
SHA1:	35c361a8bfdb894e80fe99728e60ad7d08745af1
SHA256:	f384a96582763be490ea4eeed6d3f10291d7df964f64db077b4d10697149a7da
SHA512:	8576e0ed22421f70350a1108129e6dfa0190335724561ca5093e22a8ceb2e6ad0d61db77a86c4603c60f4627c091d576b9174daa2c0545d9d1e032502bc19e3e
SSDEEP:	12288:4Rb0kj3oTB2b2UVFdPBGjIKHfrLPVPf1cLlq+R3rU8weZd+ydGRuwJGdaTuM18N5:4RA0siGjIKHf/NH1eFR7U8wWkTRk
TLSH:	5D155A99369071EFC857C976CA682C50FB31B576930FD207A45322ADAE0D6ABDF101F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.b..............0..`..........n~... ........@.. ....................................@................................

File Icon


Icon Hash:	397165848c36a18d

Static PE Info

General

Entrypoint:	0x4e7e6e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62E047C2 [Tue Jul 26 20:00:02 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe7e14	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe8000	0x1a90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe5e74	0xe6000	False	0.7169316830842392	data	7.366377921746369	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe8000	0x1a90	0x1c00	False	0.45717075892857145	data	5.558425499312093	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xe8160	0xd28	data
RT_GROUP_ICON	0xe8e88	0x14	data
RT_GROUP_ICON	0xe8e9c	0x14	data
RT_VERSION	0xe8eb0	0x33c	data
RT_MANIFEST	0xe91ec	0x8a3	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 15:00:51.489784956 CEST	49765	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:00:51.547962904 CEST	8600	49765	79.134.225.97	192.168.2.4
Aug 5, 2022 15:00:52.065028906 CEST	49765	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:00:52.123380899 CEST	8600	49765	79.134.225.97	192.168.2.4
Aug 5, 2022 15:00:52.709264040 CEST	49765	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:00:52.767832994 CEST	8600	49765	79.134.225.97	192.168.2.4
Aug 5, 2022 15:00:57.773063898 CEST	49770	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:00:57.832314014 CEST	8600	49770	79.134.225.97	192.168.2.4
Aug 5, 2022 15:00:58.334733009 CEST	49770	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:00:58.393183947 CEST	8600	49770	79.134.225.97	192.168.2.4
Aug 5, 2022 15:00:59.022278070 CEST	49770	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:00:59.080661058 CEST	8600	49770	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:04.092365980 CEST	49772	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:04.150609970 CEST	8600	49772	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:04.710223913 CEST	49772	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:04.768486977 CEST	8600	49772	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:05.413645983 CEST	49772	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:05.472306967 CEST	8600	49772	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:10.476984978 CEST	49773	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:10.535494089 CEST	8600	49773	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:11.132644892 CEST	49773	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:11.191097975 CEST	8600	49773	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:11.835798979 CEST	49773	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:11.897294044 CEST	8600	49773	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:16.906243086 CEST	49774	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:16.964862108 CEST	8600	49774	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:17.602025032 CEST	49774	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:17.660366058 CEST	8600	49774	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:18.211484909 CEST	49774	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:18.269845963 CEST	8600	49774	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:23.275614977 CEST	49776	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:23.334021091 CEST	8600	49776	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:23.914994955 CEST	49776	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:23.973387957 CEST	8600	49776	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:24.602653980 CEST	49776	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:24.661000013 CEST	8600	49776	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:29.691310883 CEST	49801	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:29.749579906 CEST	8600	49801	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:30.337486982 CEST	49801	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:30.395963907 CEST	8600	49801	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:31.024995089 CEST	49801	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:31.083328009 CEST	8600	49801	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:36.541906118 CEST	49819	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:36.600670099 CEST	8600	49819	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:37.135059118 CEST	49819	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:37.193582058 CEST	8600	49819	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:37.838089943 CEST	49819	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:37.896397114 CEST	8600	49819	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:42.902713060 CEST	49827	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:42.961273909 CEST	8600	49827	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:43.463576078 CEST	49827	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:43.522169113 CEST	8600	49827	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:44.026073933 CEST	49827	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:44.084547043 CEST	8600	49827	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:49.099905968 CEST	49836	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:49.158422947 CEST	8600	49836	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:49.667279005 CEST	49836	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:49.725716114 CEST	8600	49836	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:50.229877949 CEST	49836	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:50.288291931 CEST	8600	49836	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:56.090359926 CEST	49844	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:56.148978949 CEST	8600	49844	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:56.652179956 CEST	49844	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:56.710563898 CEST	8600	49844	79.134.225.97	192.168.2.4
Aug 5, 2022 15:01:57.214720964 CEST	49844	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:01:57.273039103 CEST	8600	49844	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:02.278929949 CEST	49861	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:02.337223053 CEST	8600	49861	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:02.840158939 CEST	49861	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:02.898443937 CEST	8600	49861	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:03.402717113 CEST	49861	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:03.460984945 CEST	8600	49861	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:09.368092060 CEST	49865	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:09.426564932 CEST	8600	49865	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:10.090811968 CEST	49865	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:10.149149895 CEST	8600	49865	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:10.700218916 CEST	49865	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:10.758519888 CEST	8600	49865	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:15.763689041 CEST	49866	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:15.821871996 CEST	8600	49866	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:16.325689077 CEST	49866	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:16.384908915 CEST	8600	49866	79.134.225.97	192.168.2.4
Aug 5, 2022 15:02:16.888501883 CEST	49866	8600	192.168.2.4	79.134.225.97
Aug 5, 2022 15:02:16.946827888 CEST	8600	49866	79.134.225.97	192.168.2.4

Target ID:	0
Start time:	15:00:07
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\s0VxndYXq0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\s0VxndYXq0.exe"
Imagebase:	0x550000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Remcos, Description: detect Remcos in memory, Source: 00000000.00000002.271680078.0000000004513000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Remcos, Description: detect Remcos in memory, Source: 00000000.00000002.268436636.0000000002CD7000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: s0VxndYXq0.exePID: 3264, Parent PID: 2732

General

Target ID:	5
Start time:	15:00:23
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\s0VxndYXq0.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\s0VxndYXq0.exe
Imagebase:	0x930000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000000.261466626.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.269857625.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: cmd.exePID: 3704, Parent PID: 3264

General

Target ID:	6
Start time:	15:00:27
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\install.bat" "
Imagebase:	0x1190000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 3708, Parent PID: 3704

General

Target ID:	7
Start time:	15:00:28
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7338d0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: PING.EXEPID: 5088, Parent PID: 3704

General

Target ID:	8
Start time:	15:00:29
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	PING 127.0.0.1 -n 2
Imagebase:	0x13b0000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: remcos.exePID: 3908, Parent PID: 3704

General

Target ID:	9
Start time:	15:00:30
Start date:	05/08/2022
Path:	C:\Users\user\remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\remcos\remcos.exe"
Imagebase:	0x530000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Remcos, Description: detect Remcos in memory, Source: 00000009.00000002.336989263.0000000002B77000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\remcos\remcos.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 54%, ReversingLabs
Reputation:	low

Analysis Process: remcos.exePID: 5540, Parent PID: 3616

General

Target ID:	12
Start time:	15:00:39
Start date:	05/08/2022
Path:	C:\Users\user\remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\remcos\remcos.exe"
Imagebase:	0x950000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Remcos, Description: detect Remcos in memory, Source: 0000000C.00000002.351406709.0000000002FDB000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: remcos.exePID: 1924, Parent PID: 3908

General

Target ID:	21
Start time:	15:00:47
Start date:	05/08/2022
Path:	C:\Users\user\remcos\remcos.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\remcos\remcos.exe
Imagebase:	0x1b0000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: remcos.exePID: 4776, Parent PID: 3616

General

Target ID:	22
Start time:	15:00:47
Start date:	05/08/2022
Path:	C:\Users\user\remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\remcos\remcos.exe"
Imagebase:	0xb70000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: remcos.exePID: 5456, Parent PID: 3908

General

Target ID:	23
Start time:	15:00:48
Start date:	05/08/2022
Path:	C:\Users\user\remcos\remcos.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\remcos\remcos.exe
Imagebase:	0x80000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: remcos.exePID: 3572, Parent PID: 3908

General

Target ID:	24
Start time:	15:00:49
Start date:	05/08/2022
Path:	C:\Users\user\remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\remcos\remcos.exe
Imagebase:	0x850000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.493007691.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: remcos.exePID: 5580, Parent PID: 5540

General

Target ID:	26
Start time:	15:01:00
Start date:	05/08/2022
Path:	C:\Users\user\remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\remcos\remcos.exe
Imagebase:	0xbe0000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.342391067.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: remcos.exePID: 5832, Parent PID: 4776

General

Target ID:	28
Start time:	15:01:11
Start date:	05/08/2022
Path:	C:\Users\user\remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\remcos\remcos.exe
Imagebase:	0x650000
File size:	950272 bytes
MD5 hash:	DE9784A4F56EAF8AFFC96754A15A5CD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.365233653.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report s0VxndYXq0

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Remcos

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\remcos.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\s0VxndYXq0.exe.log

C:\Users\user\AppData\Local\Temp\install.bat

C:\Users\user\remcos\remcos.exe

C:\Users\user\remcos\remcos.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
s0VxndYXq0