Windows Analysis Report
ORDER AND SPECIFICATIONS.scr.exe

Overview

General Information

Sample name: ORDER AND SPECIFICATIONS.scr.exe
Analysis ID: 1559970
MD5: 08b5fa6876e0dc8d5c226597d89e646b
SHA1: 4b5f7b0dd2303c81427f9ab47ff9046c43718552
SHA256: 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361
Tags: exeuser-lowmal3
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Found malware configuration
Source: 00000011.00000002.1921104180.00000000010B7000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["16.54:6092:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-YJ70D0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Enable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Remcos\remcos.exe ReversingLabs: Detection: 39%
Multi AV Scanner detection for submitted file
Source: ORDER AND SPECIFICATIONS.scr.exe ReversingLabs: Detection: 39%
Source: ORDER AND SPECIFICATIONS.scr.exe Virustotal: Detection: 45% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1724701599.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1921104180.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2956392919.0000000001417000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1714038112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2000409352.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1736104866.0000000000CD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2957635105.000000000304F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1726400682.0000000004515000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1726400682.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDER AND SPECIFICATIONS.scr.exe PID: 6840, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ORDER AND SPECIFICATIONS.scr.exe PID: 7076, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 2144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 5888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 2496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 3512, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\Remcos\logs.dat, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\ProgramData\Remcos\remcos.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: ORDER AND SPECIFICATIONS.scr.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 3_2_0043293A
Source: ORDER AND SPECIFICATIONS.scr.exe, 00000000.00000002.1726400682.0000000003A09000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_ea920cf0-8

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1714038112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1726400682.0000000004515000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1726400682.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDER AND SPECIFICATIONS.scr.exe PID: 6840, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ORDER AND SPECIFICATIONS.scr.exe PID: 7076, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00406764 _wcslen,CoGetObject, 3_2_00406764
Uses 32bit PE files
Source: ORDER AND SPECIFICATIONS.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ORDER AND SPECIFICATIONS.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: iwOt.pdb source: ORDER AND SPECIFICATIONS.scr.exe, remcos.exe.3.dr
Source: Binary string: iwOt.pdbSHA256 source: ORDER AND SPECIFICATIONS.scr.exe, remcos.exe.3.dr
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 3_2_0040B335
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 3_2_0041B42F
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 3_2_0040B53A
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 3_2_004089A9
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00406AC2 FindFirstFileW,FindNextFileW, 3_2_00406AC2
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 3_2_00407A8C
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, 3_2_00418C69
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 3_2_00408DA7
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 3_2_00406F06

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49732 -> 154.216.16.54:6092
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49741 -> 154.216.16.54:6092
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49742 -> 154.216.16.54:6092
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49740 -> 154.216.16.54:6092
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 16.54
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49732 -> 154.216.16.54:6092
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49734 -> 178.237.33.50:80
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.54
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_004260F7 recv, 3_2_004260F7
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: ORDER AND SPECIFICATIONS.scr.exe, 00000003.00000002.1724701599.0000000000C50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMO
Source: ORDER AND SPECIFICATIONS.scr.exe, remcos.exe.3.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: ORDER AND SPECIFICATIONS.scr.exe, remcos.exe.3.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ORDER AND SPECIFICATIONS.scr.exe, remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: ORDER AND SPECIFICATIONS.scr.exe, 00000000.00000002.1726400682.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, ORDER AND SPECIFICATIONS.scr.exe, 00000000.00000002.1726400682.0000000004515000.00000004.00000800.00020000.00000000.sdmp, ORDER AND SPECIFICATIONS.scr.exe, 00000003.00000002.1714038112.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpi8)
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpn;
Source: remcos.exe, 0000000B.00000002.2959871045.0000000005B90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://iptc.orgxm
Source: remcos.exe, 0000000B.00000002.2959871045.0000000005B90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.0
Source: remcos.exe, 0000000B.00000002.2959871045.0000000005B90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.xa
Source: ORDER AND SPECIFICATIONS.scr.exe, remcos.exe.3.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: ORDER AND SPECIFICATIONS.scr.exe, 00000000.00000002.1725661879.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000004.00000002.1742567144.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000000A.00000002.1842092650.0000000003151000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000000F.00000002.1923273343.00000000034B8000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000012.00000002.2002757530.0000000002858000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ORDER AND SPECIFICATIONS.scr.exe, remcos.exe.3.dr String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000 3_2_004099E4
Installs a global keyboard hook
Source: C:\ProgramData\Remcos\remcos.exe Windows user hook set: 0 keyboard low level C:\ProgramData\Remcos\remcos.exe
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_004159C6
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_004159C6
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_004159C6
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 3_2_00409B10
Yara detected Keylogger Generic
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1714038112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1726400682.0000000004515000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1726400682.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDER AND SPECIFICATIONS.scr.exe PID: 6840, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ORDER AND SPECIFICATIONS.scr.exe PID: 7076, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 5800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 5812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 3264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 3140, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1724701599.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1921104180.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2956392919.0000000001417000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1714038112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2000409352.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1736104866.0000000000CD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2957635105.000000000304F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1726400682.0000000004515000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1726400682.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDER AND SPECIFICATIONS.scr.exe PID: 6840, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ORDER AND SPECIFICATIONS.scr.exe PID: 7076, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 2144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 5888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 2496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 3512, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\Remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0041BB71 SystemParametersInfoW, 3_2_0041BB71
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0041BB77 SystemParametersInfoW, 3_2_0041BB77

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000003.00000002.1714038112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.1714038112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.1714038112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1726400682.0000000004515000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1726400682.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: ORDER AND SPECIFICATIONS.scr.exe PID: 6840, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: ORDER AND SPECIFICATIONS.scr.exe PID: 7076, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: ORDER AND SPECIFICATIONS.scr.exe
Abnormal high CPU Usage
Source: C:\ProgramData\Remcos\remcos.exe Process Stats: CPU usage > 49%
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress, 3_2_004158B9
Detected potential crypto function
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 0_2_0299D55C 0_2_0299D55C
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 0_2_04F967E0 0_2_04F967E0
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 0_2_04F9E858 0_2_04F9E858
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 0_2_04F967D2 0_2_04F967D2
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 0_2_04F9D789 0_2_04F9D789
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 0_2_04F90040 0_2_04F90040
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 0_2_04F9001C 0_2_04F9001C
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 0_2_04F9C154 0_2_04F9C154
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0041D071 3_2_0041D071
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_004520D2 3_2_004520D2
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0043D098 3_2_0043D098
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00437150 3_2_00437150
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_004361AA 3_2_004361AA
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00426254 3_2_00426254
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00431377 3_2_00431377
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0043651C 3_2_0043651C
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0041E5DF 3_2_0041E5DF
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0044C739 3_2_0044C739
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_004367C6 3_2_004367C6
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_004267CB 3_2_004267CB
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0043C9DD 3_2_0043C9DD
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00432A49 3_2_00432A49
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00436A8D 3_2_00436A8D
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0043CC0C 3_2_0043CC0C
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00436D48 3_2_00436D48
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00434D22 3_2_00434D22
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00426E73 3_2_00426E73
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00440E20 3_2_00440E20
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0043CE3B 3_2_0043CE3B
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00412F45 3_2_00412F45
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00452F00 3_2_00452F00
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00426FAD 3_2_00426FAD
Source: C:\ProgramData\Remcos\remcos.exe Code function: 4_2_0166D55C 4_2_0166D55C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 4_2_05B27A38 4_2_05B27A38
Source: C:\ProgramData\Remcos\remcos.exe Code function: 4_2_05B21D08 4_2_05B21D08
Source: C:\ProgramData\Remcos\remcos.exe Code function: 4_2_05B23D60 4_2_05B23D60
Source: C:\ProgramData\Remcos\remcos.exe Code function: 4_2_05B23D4F 4_2_05B23D4F
Source: C:\ProgramData\Remcos\remcos.exe Code function: 4_2_05B21498 4_2_05B21498
Source: C:\ProgramData\Remcos\remcos.exe Code function: 4_2_05B21462 4_2_05B21462
Source: C:\ProgramData\Remcos\remcos.exe Code function: 4_2_05B22130 4_2_05B22130
Source: C:\ProgramData\Remcos\remcos.exe Code function: 4_2_05B22140 4_2_05B22140
Source: C:\ProgramData\Remcos\remcos.exe Code function: 4_2_05B218D0 4_2_05B218D0
Source: C:\ProgramData\Remcos\remcos.exe Code function: 4_2_05B218C1 4_2_05B218C1
Source: C:\ProgramData\Remcos\remcos.exe Code function: 4_2_06132106 4_2_06132106
Source: C:\ProgramData\Remcos\remcos.exe Code function: 4_2_061334B8 4_2_061334B8
Source: C:\ProgramData\Remcos\remcos.exe Code function: 4_2_061334A7 4_2_061334A7
Source: C:\ProgramData\Remcos\remcos.exe Code function: 4_2_06139950 4_2_06139950
Source: C:\ProgramData\Remcos\remcos.exe Code function: 4_2_06139960 4_2_06139960
Source: C:\ProgramData\Remcos\remcos.exe Code function: 10_2_0141D55C 10_2_0141D55C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 15_2_0177D55C 15_2_0177D55C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 18_2_00F2D55C 18_2_00F2D55C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: String function: 00401F66 appears 50 times
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: String function: 004020E7 appears 39 times
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: String function: 004338A5 appears 41 times
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: String function: 00433FB0 appears 55 times
One or more processes crash
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 1980
PE / OLE file has an invalid certificate
Source: ORDER AND SPECIFICATIONS.scr.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: ORDER AND SPECIFICATIONS.scr.exe, 00000000.00000002.1734711693.0000000005D20000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs ORDER AND SPECIFICATIONS.scr.exe
Source: ORDER AND SPECIFICATIONS.scr.exe, 00000000.00000002.1726400682.0000000003A09000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs ORDER AND SPECIFICATIONS.scr.exe
Source: ORDER AND SPECIFICATIONS.scr.exe, 00000000.00000002.1717529648.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs ORDER AND SPECIFICATIONS.scr.exe
Source: ORDER AND SPECIFICATIONS.scr.exe, 00000000.00000000.1697460194.00000000006F5000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameiwOt.exe: vs ORDER AND SPECIFICATIONS.scr.exe
Source: ORDER AND SPECIFICATIONS.scr.exe, 00000000.00000002.1731734994.0000000005260000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs ORDER AND SPECIFICATIONS.scr.exe
Source: ORDER AND SPECIFICATIONS.scr.exe, 00000000.00000002.1733533133.0000000005B42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs ORDER AND SPECIFICATIONS.scr.exe
Source: ORDER AND SPECIFICATIONS.scr.exe, 00000000.00000002.1725661879.0000000002A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs ORDER AND SPECIFICATIONS.scr.exe
Source: ORDER AND SPECIFICATIONS.scr.exe, 00000003.00000002.1724701599.0000000000C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameiwOt.exe: vs ORDER AND SPECIFICATIONS.scr.exe
Source: ORDER AND SPECIFICATIONS.scr.exe Binary or memory string: OriginalFilenameiwOt.exe: vs ORDER AND SPECIFICATIONS.scr.exe
Uses 32bit PE files
Source: ORDER AND SPECIFICATIONS.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000003.00000002.1714038112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.1714038112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.1714038112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1726400682.0000000004515000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1726400682.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: ORDER AND SPECIFICATIONS.scr.exe PID: 6840, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: ORDER AND SPECIFICATIONS.scr.exe PID: 7076, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: ORDER AND SPECIFICATIONS.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: remcos.exe.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, R3LI2JlBQK2y8eTkWd.cs Security API names: _0020.SetAccessControl
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, R3LI2JlBQK2y8eTkWd.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, R3LI2JlBQK2y8eTkWd.cs Security API names: _0020.AddAccessRule
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, yeQg4VjmhhFXIWIfLn.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, yeQg4VjmhhFXIWIfLn.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, R3LI2JlBQK2y8eTkWd.cs Security API names: _0020.SetAccessControl
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, R3LI2JlBQK2y8eTkWd.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, R3LI2JlBQK2y8eTkWd.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@30/19@1/2
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 3_2_00416AB7
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 3_2_0040E219
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource, 3_2_0041A63F
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 3_2_00419BC4
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER AND SPECIFICATIONS.scr.exe.log Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Mutant created: NULL
Source: C:\ProgramData\Remcos\remcos.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-YJ70D0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5888
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqkj5rvy.14m.ps1 Jump to behavior
Source: ORDER AND SPECIFICATIONS.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ORDER AND SPECIFICATIONS.scr.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ORDER AND SPECIFICATIONS.scr.exe ReversingLabs: Detection: 39%
Source: ORDER AND SPECIFICATIONS.scr.exe Virustotal: Detection: 45%
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe File read: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe "C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe"
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process created: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe "C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe"
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 1980
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process created: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe "C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: amsi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: propsys.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: edputil.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: netutils.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: slc.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: sppc.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: netutils.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: amsi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: winmm.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: urlmon.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wininet.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: iertutil.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: srvcli.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: netutils.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: sspicli.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: mswsock.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: profapi.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: winhttp.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: winnsi.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: dnsapi.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: rasadhlp.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: fwpuclnt.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windowscodecs.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: mscoree.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: version.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: profapi.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: amsi.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: userenv.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: msasn1.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: gpapi.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windowscodecs.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: winmm.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: urlmon.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wininet.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: iertutil.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: srvcli.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: netutils.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: mscoree.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: version.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: profapi.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: amsi.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: userenv.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: msasn1.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: gpapi.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windowscodecs.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: winmm.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: urlmon.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wininet.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: iertutil.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: srvcli.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: netutils.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: ORDER AND SPECIFICATIONS.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ORDER AND SPECIFICATIONS.scr.exe Static file information: File size 1231368 > 1048576
Source: ORDER AND SPECIFICATIONS.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: ORDER AND SPECIFICATIONS.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: iwOt.pdb source: ORDER AND SPECIFICATIONS.scr.exe, remcos.exe.3.dr
Source: Binary string: iwOt.pdbSHA256 source: ORDER AND SPECIFICATIONS.scr.exe, remcos.exe.3.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, R3LI2JlBQK2y8eTkWd.cs .Net Code: OEd7XNGEJw System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, R3LI2JlBQK2y8eTkWd.cs .Net Code: OEd7XNGEJw System.Reflection.Assembly.Load(byte[])
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 3_2_0041BCE3
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_004567E0 push eax; ret 3_2_004567FE
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0045B9DD push esi; ret 3_2_0045B9E6
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00455EAF push ecx; ret 3_2_00455EC2
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00433FF6 push ecx; ret 3_2_00434009
Source: ORDER AND SPECIFICATIONS.scr.exe Static PE information: section name: .text entropy: 7.896990214277132
Source: remcos.exe.3.dr Static PE information: section name: .text entropy: 7.896990214277132
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, CM1SvK5aHRBmoIilg5d.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kPYqvUiJXo', 'crhq1BOKfb', 'BdmqSUZ0Yc', 'TA0qrtKtnr', 'Lv5qF2nNCv', 'l2Bq6T43nQ', 'EHgqxEktXh'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, aFKh0AkOviDq79TlMZ.cs High entropy of concatenated method names: 'Ah9ZncdykC', 'OokZuO7bV3', 'C3bD9bUpUi', 'wi3Dtj4ce6', 'Q9rDwCyrkx', 'BchDWREurj', 'BocDPYidkW', 'KFZD2CEm07', 'LLZDgFPs16', 'C0PDbUrg5P'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, XMHDskxNcMKySahmy5.cs High entropy of concatenated method names: 'chtQTEPh0d', 'ewRQMgTCsV', 'ToString', 'DB6QAbFSRX', 'jrBQdpRnjN', 'puFQDJlLAb', 'YC1QZeYj9t', 'DgMQGn4QGf', 'FMyQYYhKo1', 'tZEQl8Ou9K'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, WS66AxRbRfhg7WgBoK.cs High entropy of concatenated method names: 'Gk6qDfVJBJ', 'e6bqZYRSK8', 'nfnqGEU43n', 'nAyqYS7O1N', 'apfqilAN4U', 'VZSqlenS14', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, PgcKGFgyrKLjswocpR.cs High entropy of concatenated method names: 'QsnYKSvaXw', 'yV4YJTQ4lc', 'fC5YXvV48E', 'SO5YHtJFRd', 'dkpYnirPpY', 'L5PY41d8hS', 'tXcYut3sNj', 'emPYj7CI0b', 'kxWYIVOv1F', 'Y6BYkXhqqi'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, yeQg4VjmhhFXIWIfLn.cs High entropy of concatenated method names: 'uGKdrvck7G', 'umqdFvNdO8', 'L8xd6Uv3Pv', 'bvJdxCQofk', 'xWIdhmO9r8', 'IVddBCC0S4', 'tPxdcPS2nL', 'NBrd0WXN8Y', 'Vghd3I1PV3', 'yShdRNUQMP'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, WqsZDfUjB3PQ43Mfrn.cs High entropy of concatenated method names: 'OMnGNndbjr', 'EnoGdAnQ7n', 'UShGZCqatj', 'wwgGYc5J6b', 'jTEGlFCeb1', 'ulRZh4spRm', 'qb8ZB0Zio6', 'PRIZccGoTw', 'OMXZ0V2CrU', 'YwqZ3mpuGZ'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, EFific5pTYlS4eZ1SmV.cs High entropy of concatenated method names: 'ToString', 'opROjYVAH3', 'lhLOI5EAoF', 'bYjOkSJQvD', 'NvsOUMLasY', 'zuAOmexJrF', 'K15O9blhCc', 'LK4OtaPJPK', 'WfINoxmJLqSVMACFm2q', 'l7VnRjmMqPMEr0Iecmb'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, GLI6qy7bQZrIGiQRfp.cs High entropy of concatenated method names: 'BKJ5YeQg4V', 'Ghh5lFXIWI', 'Nre5TjC4Yi', 'sFg5M2aFKh', 'HTl5oMZ0qs', 'hDf5yjB3PQ', 'EEQoGcM0monefyTpdk', 'Fxk8hmdsFCX1nW1Hfv', 'hfA55pMggy', 'aAa5VqL9PO'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, lgbkisB8yo6f8s309s.cs High entropy of concatenated method names: 'CkxQ0KroLZ', 'FpjQR4bOJT', 'gAnfanHkO3', 'X7of5i0HNx', 'flUQvJoCQE', 'T9eQ1IFUFY', 'tojQSyCJ8R', 'y1OQr868XW', 'BxgQF4rKr5', 'l0jQ6Ehn7o'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, FqKhtQ3CAUQFEjJpoy.cs High entropy of concatenated method names: 'UPuiU7yqew', 'AEDimWMG8U', 'xOOi9ILojN', 'u1AitUkV1r', 'l8GiwjtyXI', 'AyyiWrAHW8', 'ixAiPdws96', 'pKxi2Jr2Ad', 'ocQigGOMUZ', 'fW7ibMjxcm'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, R3LI2JlBQK2y8eTkWd.cs High entropy of concatenated method names: 'zgUVNBaOYP', 't0EVA0silE', 'ldCVdXXc8X', 'MISVDMZKjM', 'xYvVZOeqXf', 'vQbVGHgSDW', 'nBNVYssbKB', 'afpVlVr8Bq', 'oTAVe1uil4', 'FVbVT4ihlJ'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, Hir1agIrejC4YiiFg2.cs High entropy of concatenated method names: 'TMRDHMDW4f', 'PMyD4N9NDk', 'QCwDjGSxdr', 'vKFDINr16i', 'FO9DooRS3t', 'uuFDyC9trZ', 'ei9DQwntON', 'm9nDfFOPyb', 'sZDDiFp7lk', 'LO7DqUNCP9'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, Qa1aIySOtIRN9xbRsE.cs High entropy of concatenated method names: 'G95sjr9je9', 'upUsIVlI7T', 'zWnsU5g4HT', 'gROsmTTxdk', 'Qv7ste9Yih', 'SEVswIcdr5', 'KB0sPVdZtU', 'W9ms2nV4Xg', 'Yr2sbhAZv8', 'PgVsvassex'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, k1r20Jc2DdECPO5mmR.cs High entropy of concatenated method names: 'WrBionjGkD', 'i3niQOj57v', 'yPRiiUNbRZ', 'za7iOP4t80', 'M8kiCPT3Lx', 'XLYiEyv60P', 'Dispose', 'rgvfA7aWYh', 'VlkfdS1TfD', 'g4OfD2XC67'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, Rl1aSm57RNmZGAmDlj6.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EiiLicQpOJ', 'tHsLqRm2Bp', 'R5CLO8TMPm', 'cCRLLKVT6M', 'mxZLCy7FpH', 'GwYL8P6GU4', 'AbILEY43Um'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, XkHHP1PXcMexuadJ6m.cs High entropy of concatenated method names: 'VEVYAAUCwF', 'DfpYD4VoeD', 'sBXYGkkQF8', 'iWTGRfxZcO', 'P2RGzaILoU', 'dOOYaHIHZR', 'GumY5SyLls', 'iqqYpCQvsm', 'zdpYVRhCcM', 'fl9Y7OvRGs'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, QlpM4AzDEVrHsjvFGv.cs High entropy of concatenated method names: 'aPVq4UT5Jb', 'EFYqjLd1Xh', 'b5oqIMrShr', 'qmnqUM5tP3', 'm9Jqmpk1rB', 'kWxqtBK25G', 'd5LqwnlAIL', 'VaxqEfFQ5s', 'kO1qKeMUU4', 'iVqqJE9GhY'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, h896RSppyvh7vnsuSB.cs High entropy of concatenated method names: 'IvtXS1a1C', 'BjVHtNuZn', 'KXP48aBcn', 'HspunnNcr', 'H5yIiT4ek', 'TvdkWaRgh', 'UC0flqAp3QV3wFHyLL', 'XCAnXBXhv26L5aIp37', 'rNefDdPG7', 'FdfqmMc87'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, Gd5w0hdOJudD7IjOMP.cs High entropy of concatenated method names: 'Dispose', 'gEC53PO5mm', 'AZkpmmjg08', 'TZcLhfaEIm', 'YKS5RCAvFa', 'sI85zmwKW8', 'ProcessDialogKey', 'PokpaqKhtQ', 'vAUp5QFEjJ', 'coyppcS66A'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3b8f658.1.raw.unpack, W28QPp551uMj0qaJcaa.cs High entropy of concatenated method names: 'VhIqRCvQ6c', 'estqz3qnSN', 'DcZOaCkiRU', 'mSGO5wM5IT', 'xenOpJ8b72', 'GEHOVDh3CC', 'Gr5O7jBVOi', 'jA1ONocI4Q', 'hDAOAraOcU', 'u2JOdbBRvB'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, CM1SvK5aHRBmoIilg5d.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kPYqvUiJXo', 'crhq1BOKfb', 'BdmqSUZ0Yc', 'TA0qrtKtnr', 'Lv5qF2nNCv', 'l2Bq6T43nQ', 'EHgqxEktXh'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, aFKh0AkOviDq79TlMZ.cs High entropy of concatenated method names: 'Ah9ZncdykC', 'OokZuO7bV3', 'C3bD9bUpUi', 'wi3Dtj4ce6', 'Q9rDwCyrkx', 'BchDWREurj', 'BocDPYidkW', 'KFZD2CEm07', 'LLZDgFPs16', 'C0PDbUrg5P'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, XMHDskxNcMKySahmy5.cs High entropy of concatenated method names: 'chtQTEPh0d', 'ewRQMgTCsV', 'ToString', 'DB6QAbFSRX', 'jrBQdpRnjN', 'puFQDJlLAb', 'YC1QZeYj9t', 'DgMQGn4QGf', 'FMyQYYhKo1', 'tZEQl8Ou9K'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, WS66AxRbRfhg7WgBoK.cs High entropy of concatenated method names: 'Gk6qDfVJBJ', 'e6bqZYRSK8', 'nfnqGEU43n', 'nAyqYS7O1N', 'apfqilAN4U', 'VZSqlenS14', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, PgcKGFgyrKLjswocpR.cs High entropy of concatenated method names: 'QsnYKSvaXw', 'yV4YJTQ4lc', 'fC5YXvV48E', 'SO5YHtJFRd', 'dkpYnirPpY', 'L5PY41d8hS', 'tXcYut3sNj', 'emPYj7CI0b', 'kxWYIVOv1F', 'Y6BYkXhqqi'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, yeQg4VjmhhFXIWIfLn.cs High entropy of concatenated method names: 'uGKdrvck7G', 'umqdFvNdO8', 'L8xd6Uv3Pv', 'bvJdxCQofk', 'xWIdhmO9r8', 'IVddBCC0S4', 'tPxdcPS2nL', 'NBrd0WXN8Y', 'Vghd3I1PV3', 'yShdRNUQMP'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, WqsZDfUjB3PQ43Mfrn.cs High entropy of concatenated method names: 'OMnGNndbjr', 'EnoGdAnQ7n', 'UShGZCqatj', 'wwgGYc5J6b', 'jTEGlFCeb1', 'ulRZh4spRm', 'qb8ZB0Zio6', 'PRIZccGoTw', 'OMXZ0V2CrU', 'YwqZ3mpuGZ'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, EFific5pTYlS4eZ1SmV.cs High entropy of concatenated method names: 'ToString', 'opROjYVAH3', 'lhLOI5EAoF', 'bYjOkSJQvD', 'NvsOUMLasY', 'zuAOmexJrF', 'K15O9blhCc', 'LK4OtaPJPK', 'WfINoxmJLqSVMACFm2q', 'l7VnRjmMqPMEr0Iecmb'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, GLI6qy7bQZrIGiQRfp.cs High entropy of concatenated method names: 'BKJ5YeQg4V', 'Ghh5lFXIWI', 'Nre5TjC4Yi', 'sFg5M2aFKh', 'HTl5oMZ0qs', 'hDf5yjB3PQ', 'EEQoGcM0monefyTpdk', 'Fxk8hmdsFCX1nW1Hfv', 'hfA55pMggy', 'aAa5VqL9PO'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, lgbkisB8yo6f8s309s.cs High entropy of concatenated method names: 'CkxQ0KroLZ', 'FpjQR4bOJT', 'gAnfanHkO3', 'X7of5i0HNx', 'flUQvJoCQE', 'T9eQ1IFUFY', 'tojQSyCJ8R', 'y1OQr868XW', 'BxgQF4rKr5', 'l0jQ6Ehn7o'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, FqKhtQ3CAUQFEjJpoy.cs High entropy of concatenated method names: 'UPuiU7yqew', 'AEDimWMG8U', 'xOOi9ILojN', 'u1AitUkV1r', 'l8GiwjtyXI', 'AyyiWrAHW8', 'ixAiPdws96', 'pKxi2Jr2Ad', 'ocQigGOMUZ', 'fW7ibMjxcm'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, R3LI2JlBQK2y8eTkWd.cs High entropy of concatenated method names: 'zgUVNBaOYP', 't0EVA0silE', 'ldCVdXXc8X', 'MISVDMZKjM', 'xYvVZOeqXf', 'vQbVGHgSDW', 'nBNVYssbKB', 'afpVlVr8Bq', 'oTAVe1uil4', 'FVbVT4ihlJ'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, Hir1agIrejC4YiiFg2.cs High entropy of concatenated method names: 'TMRDHMDW4f', 'PMyD4N9NDk', 'QCwDjGSxdr', 'vKFDINr16i', 'FO9DooRS3t', 'uuFDyC9trZ', 'ei9DQwntON', 'm9nDfFOPyb', 'sZDDiFp7lk', 'LO7DqUNCP9'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, Qa1aIySOtIRN9xbRsE.cs High entropy of concatenated method names: 'G95sjr9je9', 'upUsIVlI7T', 'zWnsU5g4HT', 'gROsmTTxdk', 'Qv7ste9Yih', 'SEVswIcdr5', 'KB0sPVdZtU', 'W9ms2nV4Xg', 'Yr2sbhAZv8', 'PgVsvassex'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, k1r20Jc2DdECPO5mmR.cs High entropy of concatenated method names: 'WrBionjGkD', 'i3niQOj57v', 'yPRiiUNbRZ', 'za7iOP4t80', 'M8kiCPT3Lx', 'XLYiEyv60P', 'Dispose', 'rgvfA7aWYh', 'VlkfdS1TfD', 'g4OfD2XC67'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, Rl1aSm57RNmZGAmDlj6.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EiiLicQpOJ', 'tHsLqRm2Bp', 'R5CLO8TMPm', 'cCRLLKVT6M', 'mxZLCy7FpH', 'GwYL8P6GU4', 'AbILEY43Um'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, XkHHP1PXcMexuadJ6m.cs High entropy of concatenated method names: 'VEVYAAUCwF', 'DfpYD4VoeD', 'sBXYGkkQF8', 'iWTGRfxZcO', 'P2RGzaILoU', 'dOOYaHIHZR', 'GumY5SyLls', 'iqqYpCQvsm', 'zdpYVRhCcM', 'fl9Y7OvRGs'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, QlpM4AzDEVrHsjvFGv.cs High entropy of concatenated method names: 'aPVq4UT5Jb', 'EFYqjLd1Xh', 'b5oqIMrShr', 'qmnqUM5tP3', 'm9Jqmpk1rB', 'kWxqtBK25G', 'd5LqwnlAIL', 'VaxqEfFQ5s', 'kO1qKeMUU4', 'iVqqJE9GhY'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, h896RSppyvh7vnsuSB.cs High entropy of concatenated method names: 'IvtXS1a1C', 'BjVHtNuZn', 'KXP48aBcn', 'HspunnNcr', 'H5yIiT4ek', 'TvdkWaRgh', 'UC0flqAp3QV3wFHyLL', 'XCAnXBXhv26L5aIp37', 'rNefDdPG7', 'FdfqmMc87'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, Gd5w0hdOJudD7IjOMP.cs High entropy of concatenated method names: 'Dispose', 'gEC53PO5mm', 'AZkpmmjg08', 'TZcLhfaEIm', 'YKS5RCAvFa', 'sI85zmwKW8', 'ProcessDialogKey', 'PokpaqKhtQ', 'vAUp5QFEjJ', 'coyppcS66A'
Source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.5d20000.5.raw.unpack, W28QPp551uMj0qaJcaa.cs High entropy of concatenated method names: 'VhIqRCvQ6c', 'estqz3qnSN', 'DcZOaCkiRU', 'mSGO5wM5IT', 'xenOpJ8b72', 'GEHOVDh3CC', 'Gr5O7jBVOi', 'jA1ONocI4Q', 'hDAOAraOcU', 'u2JOdbBRvB'
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00406128 ShellExecuteW,URLDownloadToFileW, 3_2_00406128
Drops PE files
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe File created: C:\ProgramData\Remcos\remcos.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe File created: C:\ProgramData\Remcos\remcos.exe Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-YJ70D0 Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 3_2_00419BC4
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-YJ70D0 Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-YJ70D0 Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-YJ70D0 Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-YJ70D0 Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 3_2_0041BCE3
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: ORDER AND SPECIFICATIONS.scr.exe PID: 6840, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 5800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 5812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 3264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 3140, type: MEMORYSTR
Delayed program exit found
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0040E54F Sleep,ExitProcess, 3_2_0040E54F
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Memory allocated: 1070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Memory allocated: 2A00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Memory allocated: 4A00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Memory allocated: 6210000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Memory allocated: 7210000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Memory allocated: 7360000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Memory allocated: 8360000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 15F0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 2F40000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 4F40000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 68F0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 78F0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 7A40000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 8A40000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 1410000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 3100000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 5100000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 6910000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 7910000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 7A60000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 8A60000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 1770000 memory reserve | memory write watch
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 3440000 memory reserve | memory write watch
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 5440000 memory reserve | memory write watch
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 6B00000 memory reserve | memory write watch
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 7B00000 memory reserve | memory write watch
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 7C40000 memory reserve | memory write watch
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 8C40000 memory reserve | memory write watch
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: F20000 memory reserve | memory write watch
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 27E0000 memory reserve | memory write watch
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 25F0000 memory reserve | memory write watch
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 5E80000 memory reserve | memory write watch
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 6E80000 memory reserve | memory write watch
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 6FC0000 memory reserve | memory write watch
Source: C:\ProgramData\Remcos\remcos.exe Memory allocated: 7FC0000 memory reserve | memory write watch
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 3_2_004198C2
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Remcos\remcos.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6011 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2814 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6950 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2631 Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Window / User API: threadDelayed 9015
Source: C:\ProgramData\Remcos\remcos.exe Window / User API: foregroundWindowGot 1404
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Evaded block: after key decision
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe API coverage: 5.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe TID: 6888 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1376 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3140 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe TID: 5744 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1184 Thread sleep count: 6950 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6168 Thread sleep count: 2631 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7064 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe TID: 732 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe TID: 6528 Thread sleep time: -30000s >= -30000s
Source: C:\ProgramData\Remcos\remcos.exe TID: 3488 Thread sleep time: -714000s >= -30000s
Source: C:\ProgramData\Remcos\remcos.exe TID: 3488 Thread sleep time: -27045000s >= -30000s
Source: C:\ProgramData\Remcos\remcos.exe TID: 4476 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\Remcos\remcos.exe TID: 3412 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 3_2_0040B335
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 3_2_0041B42F
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 3_2_0040B53A
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 3_2_004089A9
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00406AC2 FindFirstFileW,FindNextFileW, 3_2_00406AC2
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 3_2_00407A8C
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, 3_2_00418C69
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 3_2_00408DA7
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 3_2_00406F06
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Remcos\remcos.exe Thread delayed: delay time: 922337203685477
Source: remcos.exe, 00000004.00000002.1740692420.00000000013B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!
Source: remcos.exe, 00000004.00000002.1740692420.00000000013B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: remcos.exe, 0000000B.00000002.2956392919.0000000001417000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000B.00000002.2956705230.000000000148C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: remcos.exe, 0000000B.00000002.2956705230.000000000148C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: ORDER AND SPECIFICATIONS.scr.exe, 00000000.00000002.1723702209.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}EMX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\ProgramData\Remcos\remcos.exe Process queried: DebugPort
Source: C:\ProgramData\Remcos\remcos.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0043A65D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 3_2_0041BCE3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00442554 mov eax, dword ptr fs:[00000030h] 3_2_00442554
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0044E92E GetProcessHeap, 3_2_0044E92E
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00434168
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0043A65D
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00433B44
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00433CD7 SetUnhandledExceptionFilter, 3_2_00433CD7
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Maps a DLL or memory area into another process
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: NULL target: C:\Program Files (x86)\Internet Explorer\iexplore.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\ProgramData\Remcos\remcos.exe Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 2814008 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 3_2_00410F36
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00418754 mouse_event, 3_2_00418754
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process created: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe "C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: program managerD0\l
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: program managerD0\hKM
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: program managerr|
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: program managerD0\ Ku
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000B.00000002.2956392919.0000000001417000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: program managerD0\
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: program managerD0\fK
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerD0\oK
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerD0\PK
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: program manager;?
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager)
Source: remcos.exe, 0000000B.00000002.2956392919.0000000001417000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dProgram Manager\logs.dat2
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerD0\
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dProgram Managerg;
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: program managerD0\tK
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: program managerD0\'K|
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dProgram ManagerI;
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: program manager
Source: remcos.exe, 0000000B.00000002.2956392919.0000000001417000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerD0\BK
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerc?
Source: remcos.exe, 0000000B.00000002.2956705230.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: program managerD0\KK
Source: remcos.exe, 0000000B.00000002.2956392919.0000000001417000.00000004.00000020.00020000.00000000.sdmp, logs.dat.11.dr Binary or memory string: [Program Manager]
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00433E0A cpuid 3_2_00433E0A
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: EnumSystemLocalesW, 3_2_004470AE
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: GetLocaleInfoW, 3_2_004510BA
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_004511E3
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: GetLocaleInfoW, 3_2_004512EA
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_004513B7
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: GetLocaleInfoW, 3_2_00447597
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: GetLocaleInfoA, 3_2_0040E679
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_00450A7F
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: EnumSystemLocalesW, 3_2_00450CF7
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: EnumSystemLocalesW, 3_2_00450D42
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: EnumSystemLocalesW, 3_2_00450DDD
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_00450E6A
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Queries volume information: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\ProgramData\Remcos\remcos.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\ProgramData\Remcos\remcos.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\ProgramData\Remcos\remcos.exe VolumeInformation
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\ProgramData\Remcos\remcos.exe VolumeInformation
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00434010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_00434010
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_0041A7A2 GetUserNameW, 3_2_0041A7A2
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: 3_2_00448057 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 3_2_00448057
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1724701599.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1921104180.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2956392919.0000000001417000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1714038112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2000409352.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1736104866.0000000000CD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2957635105.000000000304F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1726400682.0000000004515000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1726400682.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDER AND SPECIFICATIONS.scr.exe PID: 6840, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ORDER AND SPECIFICATIONS.scr.exe PID: 7076, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 2144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 5888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 2496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 3512, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\Remcos\logs.dat, type: DROPPED
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 3_2_0040B21B
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 3_2_0040B335
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: \key3.db 3_2_0040B335

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-YJ70D0 Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-YJ70D0 Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-YJ70D0
Source: C:\ProgramData\Remcos\remcos.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-YJ70D0
Source: C:\ProgramData\Remcos\remcos.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-YJ70D0
Yara detected Remcos RAT
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.4515a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORDER AND SPECIFICATIONS.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDER AND SPECIFICATIONS.scr.exe.3ad2c38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1724701599.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1921104180.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2956392919.0000000001417000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1714038112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2000409352.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1736104866.0000000000CD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2957635105.000000000304F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1726400682.0000000004515000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1726400682.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDER AND SPECIFICATIONS.scr.exe PID: 6840, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ORDER AND SPECIFICATIONS.scr.exe PID: 7076, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 2144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 5888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 2496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 3512, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\Remcos\logs.dat, type: DROPPED
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\Desktop\ORDER AND SPECIFICATIONS.scr.exe Code function: cmd.exe 3_2_00405042
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559970 Sample: ORDER AND SPECIFICATIONS.scr.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 63 geoplugin.net 2->63 69 Suricata IDS alerts for network traffic 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 18 other signatures 2->75 10 ORDER AND SPECIFICATIONS.scr.exe 4 2->10         started        14 remcos.exe 2 2->14         started        16 remcos.exe 2->16         started        18 remcos.exe 2->18         started        signatures3 process4 file5 61 C:\...\ORDER AND SPECIFICATIONS.scr.exe.log, ASCII 10->61 dropped 91 Adds a directory exclusion to Windows Defender 10->91 20 ORDER AND SPECIFICATIONS.scr.exe 2 4 10->20         started        24 powershell.exe 23 10->24         started        26 remcos.exe 14->26         started        29 remcos.exe 16->29         started        31 remcos.exe 16->31         started        33 remcos.exe 18->33         started        35 remcos.exe 18->35         started        signatures6 process7 dnsIp8 55 C:\ProgramData\Remcos\remcos.exe, PE32 20->55 dropped 57 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 20->57 dropped 77 Detected Remcos RAT 20->77 79 Creates autostart registry keys with suspicious names 20->79 37 remcos.exe 4 20->37         started        81 Loading BitLocker PowerShell Module 24->81 40 conhost.exe 24->40         started        65 154.216.16.54, 49732, 49740, 49741 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 26->65 67 geoplugin.net 178.237.33.50, 49734, 80 ATOM86-ASATOM86NL Netherlands 26->67 59 C:\ProgramData\Remcos\logs.dat, data 26->59 dropped 83 Installs a global keyboard hook 26->83 42 WerFault.exe 26->42         started        file9 signatures10 process11 signatures12 85 Multi AV Scanner detection for dropped file 37->85 87 Machine Learning detection for dropped file 37->87 89 Adds a directory exclusion to Windows Defender 37->89 44 remcos.exe 2 1 37->44         started        47 powershell.exe 23 37->47         started        process13 signatures14 93 Detected Remcos RAT 44->93 95 Writes to foreign memory regions 44->95 97 Maps a DLL or memory area into another process 44->97 49 iexplore.exe 44->49         started        99 Loading BitLocker PowerShell Module 47->99 51 WmiPrvSE.exe 47->51         started        53 conhost.exe 47->53         started        process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
154.216.16.54
 unknown Seychelles
135357 SKHT-ASShenzhenKatherineHengTechnologyInformationCo true
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false

Contacted Domains

Name IP Active
geoplugin.net 178.237.33.50 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://geoplugin.net/json.gp false
    		high
    16.54 true
    • Avira URL Cloud: safe
    		 unknown