Windows Analysis Report
17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

AI detected suspicious sample

Source: Yara match	File source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 4.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.2067183514.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2000316301.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2066282556.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2066558477.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4448661810.000000000070E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4448476317.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 5012, type: MEMORYSTR

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Machine Learning detection for sample

Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		0_2_0043293A
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,		2_2_00404423

Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000000.2000316301.0000000000457000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_d317d35e-7

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 4.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.2067183514.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2000316301.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2066282556.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2066558477.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4448476317.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 5012, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_00406764 _wcslen,CoGetObject,

0_2_00406764

Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040B335
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	0_2_0041B42F
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040B53A
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0044D5E9 FindFirstFileExA,	0_2_0044D5E9
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	0_2_004089A9
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,	0_2_00406AC2
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	0_2_00407A8C
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_00418C69
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	0_2_00408DA7
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_100010F1
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_10006580 FindFirstFileExA,	0_2_10006580
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0040AE51 FindFirstFileW,FindNextFileW,	2_2_0040AE51
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	3_2_00407EF8
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	4_2_00407898

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00406F06

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Temp\hiorcudfdjvgfduzawbdqufameompfcr	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Temp\begcefy	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Temp\rctj	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49705 -> 31.13.224.72:2431
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49704 -> 31.13.224.72:2431

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: newbeggin.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: newbeggin.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 31.13.224.72:2431

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: SARNICA-ASBG SARNICA-ASBG

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49706 -> 178.237.33.50:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_004260F7 recv,

0_2_004260F7

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000003.2083218540.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000003.2082878319.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000003.2083218540.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000003.2082878319.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4449231494.0000000003620000.00000040.10000000.00040000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000002.2070044914.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000002.2070044914.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4449083061.0000000003530000.00000040.10000000.00040000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000002.2088802742.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4449083061.0000000003530000.00000040.10000000.00040000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000002.2088802742.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: newbeggin.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: bhv8713.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2063969247.0000000000744000.00000004.00000020.00020000.00000000.sdmp, bhv8713.tmp.2.dr	String found in binary or memory: http://geoplugin.net/json.gp
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2088647029.000000000074D000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2065990698.0000000000740000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2045818771.0000000000750000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2089428841.000000000074E000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4448661810.000000000074F000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2063969247.0000000000744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp.
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2088647029.000000000074D000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2065990698.0000000000740000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2045818771.0000000000750000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2089428841.000000000074E000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4448661810.000000000074F000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2063969247.0000000000744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpE
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2065990698.0000000000740000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2045818771.0000000000750000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2063969247.0000000000744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpQ
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2045818771.0000000000750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gplm
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2088647029.000000000074D000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2065990698.0000000000740000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2045818771.0000000000750000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2089428841.000000000074E000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4448661810.000000000074F000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2063969247.0000000000744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpz
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://ocspx.digicert.com0E
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000002.2070044914.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000003.2069416780.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000003.2069391887.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000002.2070044914.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000003.2069416780.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000003.2069391887.00000000006DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comata
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4449231494.0000000003620000.00000040.10000000.00040000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000002.2070044914.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4449231494.0000000003620000.00000040.10000000.00040000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000002.2070044914.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhv8713.tmp.2.dr	String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000002.2088507261.0000000000193000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000002.2070044914.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7e9591e308dbda599df1fc08720a72a3
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?c6a2869c584d2ea23c67c44abe1ec326
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000002.2070044914.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv8713.tmp.2.dr	String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

0_2_004099E4

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_004159C6

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	0_2_004159C6
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	2_2_0040987A
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	2_2_004098E2
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	3_2_00406DFC
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	3_2_00406E9F
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	4_2_004068B5
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	4_2_004072B5

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_004159C6

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

0_2_00409B10

Source: Yara match	File source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 4.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.2067183514.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2000316301.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2066282556.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2066558477.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4448476317.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 5012, type: MEMORYSTR

E-Banking Fraud

Contains functionalty to change the wallpaper

Source: Yara match	File source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 4.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.2067183514.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2000316301.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2066282556.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2066558477.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4448661810.000000000070E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4448476317.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 5012, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_0041BB77 SystemParametersInfoW,

0_2_0041BB77

System Summary

Malicious sample detected (through community Yara rule)

Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, type: SAMPLE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000004.00000000.2067183514.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000000.2000316301.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000000.2066282556.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000000.2066558477.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.4448476317.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6156, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6524, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6484, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 5012, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00417245 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	0_2_00417245
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,	0_2_0041ACC1
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,	0_2_0041ACED
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,	2_2_0040DD85
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_00401806 NtdllDefWindowProc_W,	2_2_00401806
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_004018C0 NtdllDefWindowProc_W,	2_2_004018C0
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_004016FD NtdllDefWindowProc_A,	3_2_004016FD
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_004017B7 NtdllDefWindowProc_A,	3_2_004017B7
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_00402CAC NtdllDefWindowProc_A,	4_2_00402CAC
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_00402D66 NtdllDefWindowProc_A,	4_2_00402D66

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,

0_2_004158B9

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0041D071	0_2_0041D071
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_004520D2	0_2_004520D2
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0043D098	0_2_0043D098
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00437150	0_2_00437150
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_004361AA	0_2_004361AA
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00426254	0_2_00426254
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00431377	0_2_00431377
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0043651C	0_2_0043651C
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0041E5DF	0_2_0041E5DF
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0044C739	0_2_0044C739
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_004367C6	0_2_004367C6
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_004267CB	0_2_004267CB
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0043C9DD	0_2_0043C9DD
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00432A49	0_2_00432A49
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00436A8D	0_2_00436A8D
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0043CC0C	0_2_0043CC0C
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00436D48	0_2_00436D48
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00434D22	0_2_00434D22
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00426E73	0_2_00426E73
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00440E20	0_2_00440E20
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0043CE3B	0_2_0043CE3B
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00412F45	0_2_00412F45
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00452F00	0_2_00452F00
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00426FAD	0_2_00426FAD
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_10017194	0_2_10017194
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_1000B5C1	0_2_1000B5C1
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0044B040	2_2_0044B040
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0043610D	2_2_0043610D
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_00447310	2_2_00447310
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0044A490	2_2_0044A490
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0040755A	2_2_0040755A
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0043C560	2_2_0043C560
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0044B610	2_2_0044B610
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0044D6C0	2_2_0044D6C0
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_004476F0	2_2_004476F0
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0044B870	2_2_0044B870
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0044081D	2_2_0044081D
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_00414957	2_2_00414957
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_004079EE	2_2_004079EE
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_00407AEB	2_2_00407AEB
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0044AA80	2_2_0044AA80
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_00412AA9	2_2_00412AA9
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_00404B74	2_2_00404B74
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_00404B03	2_2_00404B03
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0044BBD8	2_2_0044BBD8
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_00404BE5	2_2_00404BE5
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_00404C76	2_2_00404C76
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_00415CFE	2_2_00415CFE
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_00416D72	2_2_00416D72
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_00446D30	2_2_00446D30
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_00446D8B	2_2_00446D8B
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_00406E8F	2_2_00406E8F
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_00405038	3_2_00405038
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_0041208C	3_2_0041208C
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_004050A9	3_2_004050A9
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_0040511A	3_2_0040511A
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_0043C13A	3_2_0043C13A
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_004051AB	3_2_004051AB
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_00449300	3_2_00449300
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_0040D322	3_2_0040D322
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_0044A4F0	3_2_0044A4F0
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_0043A5AB	3_2_0043A5AB
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_00413631	3_2_00413631
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_00446690	3_2_00446690
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_0044A730	3_2_0044A730
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_004398D8	3_2_004398D8
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_004498E0	3_2_004498E0
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_0044A886	3_2_0044A886
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_0043DA09	3_2_0043DA09
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_00438D5E	3_2_00438D5E
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_00449ED0	3_2_00449ED0
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_0041FE83	3_2_0041FE83
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_00430F54	3_2_00430F54
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_004050C2	4_2_004050C2
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_004014AB	4_2_004014AB
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_00405133	4_2_00405133
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_004051A4	4_2_004051A4
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_00401246	4_2_00401246
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_0040CA46	4_2_0040CA46
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_00405235	4_2_00405235
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_004032C8	4_2_004032C8
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_004222D9	4_2_004222D9
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_00401689	4_2_00401689
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_00402F60	4_2_00402F60

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: String function: 00401F66 appears 50 times
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: String function: 00433FB0 appears 55 times
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: String function: 004020E7 appears 40 times
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: String function: 004338A5 appears 42 times
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: String function: 00416760 appears 69 times

Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2088647029.0000000000788000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4449231494.000000000363B000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2065990698.0000000000740000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2090245654.00000000007A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Binary or memory string: OriginalFileName vs 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Binary or memory string: OriginalFilename vs 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000002.2070044914.000000000041B000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000004.00000000.2067183514.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000000.2000316301.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000000.2066282556.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000000.2066558477.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.4448476317.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6156, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6524, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6484, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 5012, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@7/3@2/2

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 2_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

2_2_004182CE

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		0_2_00416AB7
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,		4_2_00410DE1

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 2_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

2_2_00418758

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

0_2_0040E219

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,

0_2_0041A63F

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_00419BC4

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-8FCP5S

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

File created: C:\Users\user\AppData\Local\Temp\bhv8713.tmp

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: Software\	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: Rmc-8FCP5S	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: Exe	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: Exe	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: Rmc-8FCP5S	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: 0DG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: Inj	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: Inj	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: BG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: BG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: BG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: @CG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: BG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: exepath	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: @CG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: exepath	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: BG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: licence	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: `=G	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: XCG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: dCG	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: Administrator	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: User	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: del	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: del	0_2_0040D767
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Command line argument: del	0_2_0040D767

Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

System information queried: HandleInformation

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000002.2088802742.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000003.00000002.2068754892.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4449083061.0000000003530000.00000040.10000000.00040000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000002.2088802742.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000002.2088802742.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000002.2088802742.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000002.2088802742.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000003.2078535287.0000000002170000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000003.2078267877.0000000002170000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000002.2089740556.000000000216F000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000003.2083508071.000000000216F000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000003.2082087636.000000000216F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000002.2088802742.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe "C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe"
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Process created: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\hiorcudfdjvgfduzawbdqufameompfcr"
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Process created: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\rctj"
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Process created: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\begcefy"
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Process created: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\hiorcudfdjvgfduzawbdqufameompfcr"	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Process created: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\rctj"	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Process created: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\begcefy"	Jump to behavior

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

File opened: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.cfg

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Detected unpacking (changes PE section rights)

Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Unpacked PE file: 2.2.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Unpacked PE file: 3.2.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Unpacked PE file: 4.2.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

0_2_0041BCE3

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_004567E0 push eax; ret	0_2_004567FE
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00455EAF push ecx; ret	0_2_00455EC2
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00433FF6 push ecx; ret	0_2_00434009
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_10002806 push ecx; ret	0_2_10002819
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0044693D push ecx; ret	2_2_0044694D
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0044DB70 push eax; ret	2_2_0044DB84
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0044DB70 push eax; ret	2_2_0044DBAC
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_00451D54 push eax; ret	2_2_00451D61
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_0044B090 push eax; ret	3_2_0044B0A4
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_0044B090 push eax; ret	3_2_0044B0CC
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_00451D34 push eax; ret	3_2_00451D41
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_00444E71 push ecx; ret	3_2_00444E81
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_00414060 push eax; ret	4_2_00414074
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_00414060 push eax; ret	4_2_0041409C
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_00414039 push ecx; ret	4_2_00414049
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_004164EB push 0000006Ah; retf	4_2_004165C4
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_00416553 push 0000006Ah; retf	4_2_004165C4
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_00416555 push 0000006Ah; retf	4_2_004165C4

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,

0_2_00406128

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_00419BC4

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

0_2_0041BCE3

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_0040E54F Sleep,ExitProcess,

0_2_0040E54F

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 2_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,

2_2_0040DD85

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

0_2_004198C2

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Window / User API: threadDelayed 3743			Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Window / User API: threadDelayed 6245			Jump to behavior

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-53091

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

API coverage: 9.9 %

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe TID: 4396	Thread sleep count: 3743 > 30	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe TID: 4396	Thread sleep time: -11229000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe TID: 4396	Thread sleep count: 6245 > 30	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe TID: 4396	Thread sleep time: -18735000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040B335
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	0_2_0041B42F
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040B53A
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0044D5E9 FindFirstFileExA,	0_2_0044D5E9
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	0_2_004089A9
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,	0_2_00406AC2
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	0_2_00407A8C
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_00418C69
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	0_2_00408DA7
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_100010F1
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_10006580 FindFirstFileExA,	0_2_10006580
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 2_2_0040AE51 FindFirstFileW,FindNextFileW,	2_2_0040AE51
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 3_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	3_2_00407EF8
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 4_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	4_2_00407898

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00406F06

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 2_2_00418981 memset,GetSystemInfo,

2_2_00418981

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Temp\hiorcudfdjvgfduzawbdqufameompfcr	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Temp\begcefy	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Temp\rctj	Jump to behavior

Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4448661810.000000000070E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2088647029.0000000000788000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2063969247.0000000000788000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2045818771.0000000000788000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4448661810.0000000000788000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhv8713.tmp.2.dr	Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	API call chain: ExitProcess graph end node			graph_0-54093
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0043A65D

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

2_2_0040DD85

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

0_2_0041BCE3

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00442554 mov eax, dword ptr fs:[00000030h]		0_2_00442554
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_10004AB4 mov eax, dword ptr fs:[00000030h]		0_2_10004AB4

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_00410B19 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,

0_2_00410B19

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Process token adjusted: Debug

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00434168
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043A65D
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00433B44
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_00433CD7 SetUnhandledExceptionFilter,	0_2_00433CD7
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_100060E2
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_10002639
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: 0_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_10002B1C

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_00417245 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

0_2_00417245

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: NULL target: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: NULL target: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Section loaded: NULL target: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

0_2_00410F36

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_00418754 mouse_event,

0_2_00418754

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Process created: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\hiorcudfdjvgfduzawbdqufameompfcr"	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Process created: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\rctj"	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Process created: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\begcefy"	Jump to behavior

Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4448661810.0000000000771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4448661810.0000000000771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerx
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4448661810.0000000000771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager_
Source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4448661810.000000000070E000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4448661810.0000000000761000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_00433E0A cpuid

0_2_00433E0A

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: GetLocaleInfoA,	0_2_0040E679
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: EnumSystemLocalesW,	0_2_004470AE
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: GetLocaleInfoW,	0_2_004510BA
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_004511E3
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: GetLocaleInfoW,	0_2_004512EA
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_004513B7
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: GetLocaleInfoW,	0_2_00447597
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00450A7F
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: EnumSystemLocalesW,	0_2_00450CF7
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: EnumSystemLocalesW,	0_2_00450D42
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: EnumSystemLocalesW,	0_2_00450DDD
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00450E6A

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_00404915 GetLocalTime,CreateEventA,CreateThread,

0_2_00404915

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_0041A7A2 GetComputerNameExW,GetUserNameW,

0_2_0041A7A2

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 0_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0044800F

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: 2_2_0041739B GetVersionExW,

2_2_0041739B

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Contains functionality to steal Chrome passwords or cookies

Source: Yara match	File source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 4.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.2067183514.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2000316301.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2066282556.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2066558477.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4448661810.000000000070E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4448476317.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 5012, type: MEMORYSTR

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

0_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		0_2_0040B335
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: \key3.db		0_2_0040B335

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: ESMTPPassword	3_2_004033F0
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	3_2_00402DB3
Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	3_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6524, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-8FCP5S

Source: Yara match	File source: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 4.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.2067183514.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2000316301.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2066282556.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2066558477.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4448661810.000000000070E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4448476317.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe PID: 5012, type: MEMORYSTR

Source: C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Code function: cmd.exe

0_2_00405042

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	13 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	2 Obfuscated Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	Logon Script (Windows)	1 Access Token Manipulation	1 Software Packing	2 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	1 DLL Side-Loading	3 Credentials In Files	4 File and Directory Discovery	Distributed Component Object Model	111 Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	222 Process Injection	1 Bypass User Account Control	LSA Secrets	38 System Information Discovery	SSH	3 Clipboard Data	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Security Software Discovery	VNC	GUI Input Capture	22 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	222 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	74%	ReversingLabs	Win32.Backdoor.Remcos
17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	100%	Avira	BDS/Backdoor.Gen
17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
newbeggin.duckdns.org	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
newbeggin.duckdns.org	31.13.224.72	true	true		unknown
geoplugin.net	178.237.33.50	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
newbeggin.duckdns.org	true	Avira URL Cloud: malware	unknown
http://geoplugin.net/json.gp	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P	bhv8713.tmp.2.dr	false	high
https://www.office.com/	bhv8713.tmp.2.dr	false	high
http://www.imvu.comr	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4449231494.0000000003620000.00000040.10000000.00040000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000002.2070044914.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	high
https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e	bhv8713.tmp.2.dr	false	high
http://geoplugin.net/json.gp.	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2088647029.000000000074D000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2065990698.0000000000740000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2045818771.0000000000750000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2089428841.000000000074E000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4448661810.000000000074F000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2063969247.0000000000744000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.imvu.com	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000003.2069416780.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000003.2069391887.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000002.2070044914.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	high
http://www.nirsoft.net	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000002.00000002.2088507261.0000000000193000.00000004.00000010.00020000.00000000.sdmp	false	high
https://aefd.nelreports.net/api/report?cat=bingaotak	bhv8713.tmp.2.dr	false	high
https://deff.nelreports.net/api/report?cat=msn	bhv8713.tmp.2.dr	false	high
http://geoplugin.net/json.gpz	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2088647029.000000000074D000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2065990698.0000000000740000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2045818771.0000000000750000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2089428841.000000000074E000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4448661810.000000000074F000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2063969247.0000000000744000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4449231494.0000000003620000.00000040.10000000.00040000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000002.2070044914.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	high
http://geoplugin.net/json.gplm	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2045818771.0000000000750000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000002.2070044914.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	high
https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073	bhv8713.tmp.2.dr	false	high
https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF	bhv8713.tmp.2.dr	false	high
http://geoplugin.net/json.gpE	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2088647029.000000000074D000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2065990698.0000000000740000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2045818771.0000000000750000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2089428841.000000000074E000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000002.4448661810.000000000074F000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2063969247.0000000000744000.00000004.00000020.00020000.00000000.sdmp	false	high
https://aefd.nelreports.net/api/report?cat=bingaot	bhv8713.tmp.2.dr	false	high
http://geoplugin.net/json.gp/C	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	false	high
https://maps.windows.com/windows-app-web-link	bhv8713.tmp.2.dr	false	high
https://aefd.nelreports.net/api/report?cat=bingrms	bhv8713.tmp.2.dr	false	high
https://www.google.com/accounts/servicelogin	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	false	high
http://geoplugin.net/json.gpQ	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2065990698.0000000000740000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2045818771.0000000000750000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000000.00000003.2063969247.0000000000744000.00000004.00000020.00020000.00000000.sdmp	false	high
https://login.yahoo.com/config/login	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe	false	high
http://www.nirsoft.net/	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000002.2070044914.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	high
http://www.imvu.comata	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000003.2069416780.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000003.2069391887.00000000006DD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.ebuddy.com	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe, 00000004.00000002.2070044914.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
31.13.224.72	newbeggin.duckdns.org	Bulgaria		48584	SARNICA-ASBG	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1564535
Start date and time:	2024-11-28 13:58:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.expl.evad.winEXE@7/3@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 136 Number of non-executed functions: 302
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Simulations

Behavior and APIs

Time	Type	Description
07:59:30	API Interceptor	4145797x Sleep call for process: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
31.13.224.72	Sipari#U015f_listesi.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse
31.13.224.72	OC25-11-24.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse
178.237.33.50	SC_TR126089907.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	Sipari#U015f_listesi.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	geoplugin.net/json.gp
	Banco Santander Totta _Aconselhamento_Pagamento.img	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	remi.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	rem.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	Salary Revision _pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	BUNKER INVOICE #U2018MV.SUN OCEAN.pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	UPS_CBIJ90511770131.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
newbeggin.duckdns.org	Sipari#U015f_listesi.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	31.13.224.72
newbeggin.duckdns.org	OC25-11-24.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	31.13.224.72
geoplugin.net	SC_TR126089907.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	Sipari#U015f_listesi.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	178.237.33.50
	Banco Santander Totta _Aconselhamento_Pagamento.img	Get hash	malicious	Remcos	Browse	178.237.33.50
	remi.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	rem.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	Salary Revision _pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	BUNKER INVOICE #U2018MV.SUN OCEAN.pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	UPS_CBIJ90511770131.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SARNICA-ASBG	Sipari#U015f_listesi.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	31.13.224.72
	Evjm8L1nEb.exe	Get hash	malicious	Unknown	Browse	31.13.224.69
	ugisGK1R1q.exe	Get hash	malicious	DarkVision Rat	Browse	31.13.224.69
	Evjm8L1nEb.exe	Get hash	malicious	Unknown	Browse	31.13.224.69
	OC25-11-24.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	31.13.224.72
	n5QCsKJ0CP.exe	Get hash	malicious	RedLine	Browse	31.13.224.34
	ahmbf.ps1	Get hash	malicious	Unknown	Browse	31.13.224.69
	Order88983273293729387293828PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	93.123.109.168
	Order88983273293729387293828PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	93.123.109.168
	Order88983273293729387293828PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	93.123.109.168
ATOM86-ASATOM86NL	SC_TR126089907.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	Sipari#U015f_listesi.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	178.237.33.50
	Banco Santander Totta _Aconselhamento_Pagamento.img	Get hash	malicious	Remcos	Browse	178.237.33.50
	remi.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	rem.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	Salary Revision _pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	BUNKER INVOICE #U2018MV.SUN OCEAN.pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	UPS_CBIJ90511770131.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50

Process:	C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.014904284428935
Encrypted:	false
SSDEEP:	12:tkluJnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluNdRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	B66CFB6461E507BB577CDE91F270844E
SHA1:	6D952DE48032731679F8718D1F1C3F08202507C3
SHA-256:	E231BBC873E9B30CCA58297CAA3E8945A4FC61556F378F2C5013B0DDCB7035BE
SHA-512:	B5C1C188F10C9134EF38D0C5296E7AE95A7A486F858BE977F9A36D63CBE5790592881F3B8D12FEBBF1E555D0A9868632D9E590777E2D3143E74FD3A44C55575F
Malicious:	false
Reputation:	low
Preview:	{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Temp\bhv8713.tmp

Download File

Process:	C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x324e7548, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	17301504
Entropy (8bit):	0.8012558191695838
Encrypted:	false
SSDEEP:	6144:idfjZb5aXEY2waXEY24URl0e4APXAP5APzAPwbndOO8pHAP6JnTJnTbnSotnBQ+z:wVq4e81ySaKKjLrONseWe
MD5:	A048560B6D06351E9C3CD1A528ABC408
SHA1:	A43E576AA0E4754C7B6E6CFBC201AD3950C7B22E
SHA-256:	71C198770BA86D002B33F29B9928B6763DE9601D6856FB9ACD02F46C513C8242
SHA-512:	CD89E6DA10199D660076FD016908BB7BF2C3BD699602B1F90D6417B9EF0B2CE09231BE0CB65F3C9C38B7E3F7FAEFC4021E49DBCF62A16D85554ACF01DEA3B969
Malicious:	false
Reputation:	low
Preview:	2NuH... .......;!......E{ow("...{........................@.....-....{u.):...\|..h.B............................("...{q............................................................................................._...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{]..................................K~.):...\|...................2.B):...\|...........................#......h.B.....................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hiorcudfdjvgfduzawbdqufameompfcr

Download File

Process:	C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.586324400137752
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe
File size:	493'056 bytes
MD5:	1c7a20b7156251eeb2ae903cbfc204e4
SHA1:	9164981354925ea9ef2f19db506d198d85bc529c
SHA256:	552c5a019f7e7f260e599ccb6a3be509b0a62739547d0d5250288fbdf4569cf5
SHA512:	dc0eecdcbc8ba25f9361ca9bae7e53da2e9ea64fec7bdc8946d8278d207dd2c052c89b3e8bb39f9a65e215ebe9b29a1209341d458e98044e67c400f688ffeb48
SSDEEP:	12288:XuD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDSZ+DY:K09AfNIEYsunZvZ19Zes
TLSH:	17A4BF01B6D2C072D57625300D26E775DEBDBD212835897BB3DA1D67FE30180E63AAB2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H.

File Icon


Icon Hash:	95694d05214c1b33

Static PE Info

General

Entrypoint:	0x433b3a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6724916B [Fri Nov 1 08:29:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	e77512f955eaf60ccff45e02d69234de

Entrypoint Preview

Instruction
call 00007FEBC9409643h
jmp 00007FEBC9408F9Fh
push ebp
mov ebp, esp
sub esp, 00000324h
push ebx
push 00000017h
call 00007FEBC942B479h
test eax, eax
je 00007FEBC9409127h
mov ecx, dword ptr [ebp+08h]
int 29h
push 00000003h
call 00007FEBC94092E4h
mov dword ptr [esp], 000002CCh
lea eax, dword ptr [ebp-00000324h]
push 00000000h
push eax
call 00007FEBC940B5FBh
add esp, 0Ch
mov dword ptr [ebp-00000274h], eax
mov dword ptr [ebp-00000278h], ecx
mov dword ptr [ebp-0000027Ch], edx
mov dword ptr [ebp-00000280h], ebx
mov dword ptr [ebp-00000284h], esi
mov dword ptr [ebp-00000288h], edi
mov word ptr [ebp-0000025Ch], ss
mov word ptr [ebp-00000268h], cs
mov word ptr [ebp-0000028Ch], ds
mov word ptr [ebp-00000290h], es
mov word ptr [ebp-00000294h], fs
mov word ptr [ebp-00000298h], gs
pushfd
pop dword ptr [ebp-00000264h]
mov eax, dword ptr [ebp+04h]
mov dword ptr [ebp-0000026Ch], eax
lea eax, dword ptr [ebp+04h]
mov dword ptr [ebp-00000260h], eax
mov dword ptr [ebp-00000324h], 00010001h
mov eax, dword ptr [eax-04h]
push 00000050h
mov dword ptr [ebp-00000270h], eax
lea eax, dword ptr [ebp-58h]
push 00000000h
push eax
call 00007FEBC940B571h

Rich Headers

Programming Language:

[C++] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6e020	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x76000	0x4ab8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7b000	0x3b80	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6c510	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x6c5e8	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x6c548	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x57000	0x4f4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x55f1d	0x56000	30cda225e02a0d4dab478a6c7c094860	False	0.5738610555959303	data	6.62127843313247	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x57000	0x18b00	0x18c00	9800e1a5325bb58aa054e318c8bb055a	False	0.49812578914141414	OpenPGP Secret Key Version 6	5.758930104385571	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x70000	0x5d6c	0xe00	06414e748130e7e668ba2ba172d63448	False	0.22684151785714285	data	3.093339598098017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x76000	0x4ab8	0x4c00	809b580475dff9f21a32907d17bdeddb	False	0.2754934210526316	data	3.976796671085605	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7b000	0x3b80	0x3c00	3a880743591ae3410d0dc26d7322ddd0	False	0.7569661458333333	data	6.695050823503309	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x7618c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3421985815602837
RT_ICON	0x765f4	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.27704918032786885
RT_ICON	0x76f7c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.23686679174484052
RT_ICON	0x78024	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.22977178423236513
RT_RCDATA	0x7a5cc	0x4a9	data			1.0092204526404023
RT_GROUP_ICON	0x7aa78	0x3e	data	English	United States	0.8064516129032258

Imports

DLL	Import
KERNEL32.dll	ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindFirstFileA, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, HeapReAlloc, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetModuleHandleExW, MoveFileExW, LoadLibraryExW, RaiseException, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, MultiByteToWideChar, DecodePointer, EncodePointer, TlsFree, TlsSetValue, GetFileSize, TerminateThread, GetLastError, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, CreateDirectoryW, GetLogicalDriveStringsA, DeleteFileW, FindNextFileA, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, GetProcAddress, CreateMutexA, GetCurrentProcess, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, FindNextVolumeW, TlsGetValue, TlsAlloc, SwitchToThread, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, InitializeCriticalSectionAndSpinCount, SetEndOfFile
USER32.dll	DefWindowProcA, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CreateWindowExA, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, TrackPopupMenu, CreatePopupMenu, AppendMenuA, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetIconInfo, GetSystemMetrics, CloseWindow, DrawIcon
GDI32.dll	BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, SelectObject
ADVAPI32.dll	LookupPrivilegeValueA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, RegDeleteKeyA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
SHELL32.dll	ShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
ole32.dll	CoInitializeEx, CoGetObject, CoUninitialize
SHLWAPI.dll	StrToIntA, PathFileExistsW, PathFileExistsA
WINMM.dll	mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInStart, waveInUnprepareHeader, waveInOpen, waveInAddBuffer, waveInPrepareHeader, PlaySoundW
WS2_32.dll	send, WSAStartup, socket, connect, WSAGetLastError, recv, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, gethostbyname
urlmon.dll	URLOpenBlockingStreamW, URLDownloadToFileW
gdiplus.dll	GdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCloneImage
WININET.dll	InternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-28T13:58:56.417695+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49704	31.13.224.72	2431	TCP
2024-11-28T13:58:58.977746+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49705	31.13.224.72	2431	TCP
2024-11-28T13:58:59.099286+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49706	178.237.33.50	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2024 13:58:54.940700054 CET	49704	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:55.061948061 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:55.062033892 CET	49704	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:55.066695929 CET	49704	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:55.186800003 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:56.364862919 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:56.417695045 CET	49704	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:56.611118078 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:56.638948917 CET	49704	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:56.759804010 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:56.759994984 CET	49704	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:56.880903959 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:57.252561092 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:57.253993034 CET	49704	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:57.374857903 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:57.453608990 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:57.455581903 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:57.508915901 CET	49704	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:57.576258898 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:57.576409101 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:57.579916000 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:57.640316963 CET	49706	80	192.168.2.5	178.237.33.50
Nov 28, 2024 13:58:57.700434923 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:57.761926889 CET	80	49706	178.237.33.50	192.168.2.5
Nov 28, 2024 13:58:57.762000084 CET	49706	80	192.168.2.5	178.237.33.50
Nov 28, 2024 13:58:57.762363911 CET	49706	80	192.168.2.5	178.237.33.50
Nov 28, 2024 13:58:57.882287025 CET	80	49706	178.237.33.50	192.168.2.5
Nov 28, 2024 13:58:58.933763981 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:58.977746010 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:59.099044085 CET	80	49706	178.237.33.50	192.168.2.5
Nov 28, 2024 13:58:59.099286079 CET	49706	80	192.168.2.5	178.237.33.50
Nov 28, 2024 13:58:59.121077061 CET	49704	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:59.184189081 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:59.188277006 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:59.241127968 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:59.308306932 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:59.308388948 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:59.428462029 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:59.829448938 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:59.829477072 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:59.829487085 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:59.829582930 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:59.829651117 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:59.829662085 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:59.829672098 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:59.829683065 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:59.829694986 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:59.829714060 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:59.829726934 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:59.829741001 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:59.829766035 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:59.836298943 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:59.836374998 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:59.836406946 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:58:59.844716072 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:58:59.844786882 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.000555992 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.039874077 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.039952040 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.040043116 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.044094086 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.044152021 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.044265985 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.052520990 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.052594900 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.052604914 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.060997009 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.061064005 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.061068058 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.069422007 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.069488049 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.069575071 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.077919006 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.077989101 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.077997923 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.086210012 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.086288929 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.086321115 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.094667912 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.094715118 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.094743013 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.099231958 CET	80	49706	178.237.33.50	192.168.2.5
Nov 28, 2024 13:59:00.099338055 CET	49706	80	192.168.2.5	178.237.33.50
Nov 28, 2024 13:59:00.103148937 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.103163004 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.103218079 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.111495018 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.111617088 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.111618042 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.119930983 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.120029926 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.120042086 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.161500931 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.161541939 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.161559105 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.212040901 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.250579119 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.250627995 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.250670910 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.254790068 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.254889011 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.254939079 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.263230085 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.263322115 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.263367891 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.271672964 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.271776915 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.271832943 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.280036926 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.280138969 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.280196905 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.288513899 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.288590908 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.288640976 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.296999931 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.297089100 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.297141075 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.305303097 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.305402040 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.305459976 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.309384108 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.309396029 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.309464931 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.313337088 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.313452959 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.313527107 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.317282915 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.317389011 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.317435026 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.321304083 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.321383953 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.321430922 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.325300932 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.325428963 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.325479984 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.329286098 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.329380989 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.329418898 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.333281040 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.333337069 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.333389997 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.337613106 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.337717056 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.337789059 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.350033045 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.350050926 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.350061893 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.350090981 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.350219011 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.350265980 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.350326061 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.350337029 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.350378990 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.379790068 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.379832029 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.379875898 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.381829977 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.381972075 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.382019043 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.385822058 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.385891914 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.385935068 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.461924076 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.462095976 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.462172985 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.463280916 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.463393927 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.463438034 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.466180086 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.466317892 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.466376066 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.469881058 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.469997883 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.470045090 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.473648071 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.473753929 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.473825932 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.480103970 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.480113983 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.480170965 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.481694937 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.481705904 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.481750011 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.484992027 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.485003948 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.485078096 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.488040924 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.488147974 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.488195896 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.491668940 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.491744041 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.491782904 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.494971991 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.495105982 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.495192051 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.498437881 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.498552084 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.498600006 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.501928091 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.502043009 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.502094984 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.505403042 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.505527020 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.505600929 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.508881092 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.509026051 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.509068012 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.511231899 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.511352062 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.511390924 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.513541937 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.513680935 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.513730049 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.515877008 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.516012907 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.516089916 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.518110991 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.518214941 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.518260956 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.520447016 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.520548105 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.520600080 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.522754908 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.522967100 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.523009062 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.525000095 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.525114059 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.525285006 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.527303934 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.527414083 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.527477026 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.529570103 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.529690027 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.529746056 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.532005072 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.532103062 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.532160044 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.534152031 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.534274101 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.534326077 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.536489010 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.536691904 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.536741018 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.538795948 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.538917065 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.538974047 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.541059971 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.541165113 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.541213989 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.543345928 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.543469906 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.543515921 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.545665979 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.545778036 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.545820951 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.547923088 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.547995090 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.548041105 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.550220966 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.550288916 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.550353050 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.552494049 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.552572966 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.552622080 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.555078030 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.555211067 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.555255890 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.557091951 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.557240963 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.557280064 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.559384108 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.559513092 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.559547901 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.561672926 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.561748981 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.561810017 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.563915968 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.618405104 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.671888113 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.672005892 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.672281981 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.672766924 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.672969103 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.673022032 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.674550056 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.674669981 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.674709082 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.676244020 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.676342964 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.676398993 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.677962065 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.678112030 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.678159952 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.679750919 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.679836035 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.679879904 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.681400061 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.681535959 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.681586027 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.683047056 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.683207989 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.683270931 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.684741974 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.684760094 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.684808016 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.686379910 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.686513901 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.686557055 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.687932014 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.688054085 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.688096046 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.689568043 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.689677954 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.689718962 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.691199064 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.691299915 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.691351891 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.692815065 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.692878008 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.692918062 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.694499969 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.694637060 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.694704056 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.696064949 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.696175098 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.696217060 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.697686911 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.697778940 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.697818041 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.699282885 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.699403048 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.699445009 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.700897932 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.701025963 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.701076984 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.702542067 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.702647924 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.702689886 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.704226017 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.704355955 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.704396009 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.706000090 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.706095934 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.706154108 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.707659006 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.707776070 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.707814932 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.709300995 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.709389925 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.709434032 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.710624933 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.710735083 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.710774899 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.712260008 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.712299109 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.712347031 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.713912964 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.713967085 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.714024067 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.715516090 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.715612888 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.715652943 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.717140913 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.717233896 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.717300892 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.718745947 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.718810081 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.718842983 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.720354080 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.720460892 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.720504045 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.721966028 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.722085953 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.722129107 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.723645926 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.723802090 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.723838091 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.725224972 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.725327969 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.725373030 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.727046013 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.727153063 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.727195978 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.728471994 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.728583097 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.728636980 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.730062008 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.730176926 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.730220079 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.731688976 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.731795073 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.731842995 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.733321905 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.733431101 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.733480930 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.734913111 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.734963894 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.735009909 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.736566067 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.736687899 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.736737013 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.738193035 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.738269091 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.738315105 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.739864111 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.739911079 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.739967108 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.741419077 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.741528988 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.741564035 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.743042946 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.743134975 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.743181944 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.744673014 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.744760990 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.744807959 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.746292114 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.746474028 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.746520996 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.748045921 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.748157978 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.748203993 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.749628067 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.749680042 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.749721050 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.751157045 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.751267910 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.751327991 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.752759933 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.752897978 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.752938986 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.754385948 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.754607916 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.754651070 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.756021976 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.805955887 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.882496119 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.882581949 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.882770061 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.883116007 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.883162975 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.883204937 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.884326935 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.884830952 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.884874105 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.884939909 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.886091948 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.886138916 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.886194944 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.887384892 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.887432098 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.887602091 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.888664007 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.888709068 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.888767004 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.889930964 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.889971972 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.890031099 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.891207933 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.891264915 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.891299963 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.892517090 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.892574072 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.892608881 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.893764019 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.893816948 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.893851995 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.895051003 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.895092010 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.895153999 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.896338940 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.896390915 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.896444082 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.897612095 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.897669077 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.897838116 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.898931026 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.898978949 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.899014950 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.900182009 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.900224924 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.900290966 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.901452065 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.901496887 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.901559114 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.902741909 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.902796984 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.902822971 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.904041052 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.904088974 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.904126883 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.905317068 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.905373096 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.905399084 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.906573057 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.906625032 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.906662941 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.907872915 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.907936096 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.907974958 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.909164906 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.909214973 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.909246922 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.910422087 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.910475016 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.910514116 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.911725044 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.911777020 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.911894083 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.912996054 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.913039923 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.913093090 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.914294004 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.914335966 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.914426088 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.915572882 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.915625095 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.915651083 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.916877985 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.916924000 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.916934967 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.918157101 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.918203115 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.918235064 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.919472933 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.919517994 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.919534922 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.920756102 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.920810938 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.920933962 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.921960115 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.921999931 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.922054052 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.923280001 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.923326969 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.923352957 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.924542904 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.924581051 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.924639940 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.925940990 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.925981045 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.925986052 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.927124977 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.927171946 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.927308083 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.928453922 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.928508043 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.928527117 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.929678917 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.929729939 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.929789066 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.930977106 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.931025028 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.931094885 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.932250977 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.932291031 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.932312012 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.933510065 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.933578014 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.933621883 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.934823990 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.934869051 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.934957027 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.936099052 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.936145067 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.936220884 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.937374115 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.937422991 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.937477112 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.938642025 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.938683987 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.938775063 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.939929008 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.939975977 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.940057039 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.941199064 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.941241026 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.941335917 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.942507982 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.942543030 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.942553043 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.943758965 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.943800926 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.943869114 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.945054054 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.945092916 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.945131063 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.946312904 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.946368933 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.946407080 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.947603941 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.947638035 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.947654009 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.948930979 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.948981047 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:00.948997974 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:00.993428946 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.093137026 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.093240976 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.093415022 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.093750954 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.093858004 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.093907118 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.095101118 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.095182896 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.095227957 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.096256971 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.096357107 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.096398115 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.097533941 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.097639084 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.097682953 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.098843098 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.099062920 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.099111080 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.100061893 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.100191116 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.100234032 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.101387024 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.101489067 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.101541042 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.102623940 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.102726936 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.102781057 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.103908062 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.104020119 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.104084015 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.105180979 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.105284929 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.105323076 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.106591940 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.106708050 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.106755972 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.107752085 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.107899904 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.107952118 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.109019995 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.109108925 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.109150887 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.110265970 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.110378027 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.110425949 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.111536026 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.111648083 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.111696959 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.112811089 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.112927914 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.112972975 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.114078999 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.114191055 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.114244938 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:01.115344048 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:01.165209055 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:03.345803022 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:03.466099024 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.466162920 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.466198921 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:03.466202021 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.466212034 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.466239929 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.466252089 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:03.466278076 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.466288090 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.466351986 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.466360092 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.466397047 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.497215986 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:03.586323977 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.586334944 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.586344004 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.586363077 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.586390972 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.586400032 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.586515903 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.618006945 CET	2431	49705	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:03.618333101 CET	49705	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:26.100106955 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:26.102250099 CET	49704	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:26.222227097 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:56.183911085 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 13:59:56.185503006 CET	49704	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 13:59:56.305505991 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 14:00:26.386804104 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 14:00:26.392128944 CET	49704	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 14:00:26.513608932 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 14:00:47.494005919 CET	49706	80	192.168.2.5	178.237.33.50
Nov 28, 2024 14:00:47.868869066 CET	49706	80	192.168.2.5	178.237.33.50
Nov 28, 2024 14:00:48.572029114 CET	49706	80	192.168.2.5	178.237.33.50
Nov 28, 2024 14:00:49.775244951 CET	49706	80	192.168.2.5	178.237.33.50
Nov 28, 2024 14:00:52.259542942 CET	49706	80	192.168.2.5	178.237.33.50
Nov 28, 2024 14:00:56.529685974 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 14:00:56.532994032 CET	49704	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 14:00:56.653043985 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 14:00:57.072141886 CET	49706	80	192.168.2.5	178.237.33.50
Nov 28, 2024 14:01:06.837728024 CET	49706	80	192.168.2.5	178.237.33.50
Nov 28, 2024 14:01:26.612951040 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 14:01:26.617054939 CET	49704	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 14:01:26.739118099 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 14:01:56.655128002 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 14:01:56.657394886 CET	49704	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 14:01:56.779782057 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 14:02:26.696156979 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 14:02:26.697818995 CET	49704	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 14:02:26.820580006 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 14:02:56.756405115 CET	2431	49704	31.13.224.72	192.168.2.5
Nov 28, 2024 14:02:56.758337021 CET	49704	2431	192.168.2.5	31.13.224.72
Nov 28, 2024 14:02:56.878887892 CET	2431	49704	31.13.224.72	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2024 13:58:54.632896900 CET	63993	53	192.168.2.5	1.1.1.1
Nov 28, 2024 13:58:54.937885046 CET	53	63993	1.1.1.1	192.168.2.5
Nov 28, 2024 13:58:57.496769905 CET	61078	53	192.168.2.5	1.1.1.1
Nov 28, 2024 13:58:57.636667013 CET	53	61078	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 28, 2024 13:58:54.632896900 CET	192.168.2.5	1.1.1.1	0xace4	Standard query (0)	newbeggin.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:58:57.496769905 CET	192.168.2.5	1.1.1.1	0x5983	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 28, 2024 13:58:54.937885046 CET	1.1.1.1	192.168.2.5	0xace4	No error (0)	newbeggin.duckdns.org		31.13.224.72	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:58:57.636667013 CET	1.1.1.1	192.168.2.5	0x5983	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	178.237.33.50	80	6156	C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:58:57.762363911 CET	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Nov 28, 2024 13:58:59.099044085 CET	1171	IN	HTTP/1.1 200 OK date: Thu, 28 Nov 2024 12:58:58 GMT server: Apache content-length: 963 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Analysis Process: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exePID: 6156, Parent PID: 1028

General

Target ID:	0
Start time:	07:58:54
Start date:	28/11/2024
Path:	C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe"
Imagebase:	0x400000
File size:	493'056 bytes
MD5 hash:	1C7A20B7156251EEB2AE903CBFC204E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.2000316301.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.2000316301.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.2000316301.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.2000316301.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4448661810.000000000070E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4448476317.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4448476317.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4448476317.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4448476317.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Chronological Activities

Analysis Process: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exePID: 6524, Parent PID: 6156

General

Target ID:	2
Start time:	07:59:00
Start date:	28/11/2024
Path:	C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\hiorcudfdjvgfduzawbdqufameompfcr"
Imagebase:	0x400000
File size:	493'056 bytes
MD5 hash:	1C7A20B7156251EEB2AE903CBFC204E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000000.2066282556.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000000.2066282556.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000000.2066282556.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000000.2066282556.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Chronological Activities

Analysis Process: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exePID: 6484, Parent PID: 6156

General

Target ID:	3
Start time:	07:59:00
Start date:	28/11/2024
Path:	C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\rctj"
Imagebase:	0x400000
File size:	493'056 bytes
MD5 hash:	1C7A20B7156251EEB2AE903CBFC204E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000000.2066558477.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000000.2066558477.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000000.2066558477.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000000.2066558477.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Chronological Activities

Analysis Process: 17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exePID: 5012, Parent PID: 6156

General

Target ID:	4
Start time:	07:59:00
Start date:	28/11/2024
Path:	C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\begcefy"
Imagebase:	0x400000
File size:	493'056 bytes
MD5 hash:	1C7A20B7156251EEB2AE903CBFC204E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000000.2067183514.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000000.2067183514.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000000.2067183514.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000000.2067183514.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true