Edit tour

Windows Analysis Report
Material Requirments.exe

Overview

General Information

Sample name:	Material Requirments.exe (renamed file extension from pif to exe)
Original sample name:	Material Requirments.pif
Analysis ID:	1591545
MD5:	3a9da3edc40736cc832eded3c389a661
SHA1:	f32f61fb4458696dae4f15d82377163521e4f8b5
SHA256:	f2418ca6e602c9470a8b6e32172432726e50b00d6e7a0ee5bd70d0172017d6c3
Infos:

Detection

Remcos, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates autostart registry keys with suspicious names

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

Material Requirments.exe (PID: 7156 cmdline: "C:\Users\user\Desktop\Material Requirments.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)

Material Requirments.exe (PID: 1372 cmdline: "C:\Users\user\Desktop\Material Requirments.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)

remcos.exe (PID: 1248 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)

remcos.exe (PID: 1276 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)

remcos.exe (PID: 3116 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)

remcos.exe (PID: 7120 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)

remcos.exe (PID: 1680 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)

remcos.exe (PID: 6620 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)

remcos.exe (PID: 6752 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)

remcos.exe (PID: 2436 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["87.120.116.245:2400:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-24L73B", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2193815642.0000000001397000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.2059843569.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.2278960559.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2075574179.0000000007610000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b540:$a1: Remcos restarted by watchdog! 0x6bab8:$a3: %02i:%02i:%02i:%03i
0000000D.00000002.2358460692.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
00000000.00000002.2070300215.0000000004309000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.4498595557.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x14a300:$a1: Remcos restarted by watchdog! 0x16c520:$a1: Remcos restarted by watchdog! 0x14a878:$a3: %02i:%02i:%02i:%03i 0x16ca98:$a3: %02i:%02i:%02i:%03i
Process Memory Space: Material Requirments.exe PID: 7156	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: Material Requirments.exe PID: 7156	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Material Requirments.exe PID: 7156	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Material Requirments.exe PID: 7156	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x3456c:$a1: Remcos restarted by watchdog! 0x594c4:$a1: Remcos restarted by watchdog! 0x34ac9:$a3: %02i:%02i:%02i:%03i 0x34e81:$a3: %02i:%02i:%02i:%03i 0x59a21:$a3: %02i:%02i:%02i:%03i 0x59dd0:$a3: %02i:%02i:%02i:%03i
Process Memory Space: Material Requirments.exe PID: 1372	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: Material Requirments.exe PID: 1372	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Material Requirments.exe PID: 1372	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Material Requirments.exe PID: 1372	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x13f42:$a1: Remcos restarted by watchdog! 0x1449f:$a3: %02i:%02i:%02i:%03i 0x14857:$a3: %02i:%02i:%02i:%03i
Process Memory Space: remcos.exe PID: 1248	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: remcos.exe PID: 1276	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: remcos.exe PID: 7120	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: remcos.exe PID: 6620	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: remcos.exe PID: 2436	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 30 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Material Requirments.exe, ProcessId: 1372, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-24L73B

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Material Requirments.exe, ProcessId: 1372, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-24L73B

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 66 57 27 95 79 E4 43 60 A3 C1 CC 09 A2 F2 B0 DC C9 0C 47 50 1A D8 96 5A E5 39 C8 E5 77 FA BB 03 2E 29 40 1B B4 6E C5 35 05 56 FF 36 06 0F 9B D4 CE 11 07 FB BA C6 2D C8 B6 8A 17 DB 53 B8 CE 8E EE 46 , EventID: 13, EventType: SetValue, Image: C:\ProgramData\Remcos\remcos.exe, ProcessId: 1276, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-24L73B\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T03:51:41.530192+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49708	87.120.116.245	2400	TCP
2025-01-15T03:51:44.182556+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49711	87.120.116.245	2400	TCP
2025-01-15T03:51:46.821597+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49712	87.120.116.245	2400	TCP
2025-01-15T03:51:49.466137+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49713	87.120.116.245	2400	TCP
2025-01-15T03:51:52.102768+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49714	87.120.116.245	2400	TCP
2025-01-15T03:51:54.764998+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49720	87.120.116.245	2400	TCP
2025-01-15T03:51:57.399678+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49732	87.120.116.245	2400	TCP
2025-01-15T03:52:00.024952+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49753	87.120.116.245	2400	TCP
2025-01-15T03:52:02.668250+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49769	87.120.116.245	2400	TCP
2025-01-15T03:52:05.310210+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49785	87.120.116.245	2400	TCP
2025-01-15T03:52:07.947280+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49804	87.120.116.245	2400	TCP
2025-01-15T03:52:10.619393+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49822	87.120.116.245	2400	TCP
2025-01-15T03:52:13.247360+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49837	87.120.116.245	2400	TCP
2025-01-15T03:52:15.885829+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49856	87.120.116.245	2400	TCP
2025-01-15T03:52:18.606441+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49873	87.120.116.245	2400	TCP
2025-01-15T03:52:21.263352+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49892	87.120.116.245	2400	TCP
2025-01-15T03:52:23.901902+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49910	87.120.116.245	2400	TCP
2025-01-15T03:52:26.521560+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49926	87.120.116.245	2400	TCP
2025-01-15T03:52:29.131855+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49943	87.120.116.245	2400	TCP
2025-01-15T03:52:31.761709+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49961	87.120.116.245	2400	TCP
2025-01-15T03:52:35.322512+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49978	87.120.116.245	2400	TCP
2025-01-15T03:52:37.963143+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49996	87.120.116.245	2400	TCP
2025-01-15T03:52:40.603701+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50003	87.120.116.245	2400	TCP
2025-01-15T03:52:43.248030+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50004	87.120.116.245	2400	TCP
2025-01-15T03:52:45.891446+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50005	87.120.116.245	2400	TCP
2025-01-15T03:52:48.505802+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50006	87.120.116.245	2400	TCP
2025-01-15T03:52:51.733895+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50007	87.120.116.245	2400	TCP
2025-01-15T03:52:54.351096+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50009	87.120.116.245	2400	TCP
2025-01-15T03:52:57.087579+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50010	87.120.116.245	2400	TCP
2025-01-15T03:52:59.733578+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50011	87.120.116.245	2400	TCP
2025-01-15T03:53:02.389514+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50012	87.120.116.245	2400	TCP
2025-01-15T03:53:05.027616+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50013	87.120.116.245	2400	TCP
2025-01-15T03:53:07.654506+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50014	87.120.116.245	2400	TCP
2025-01-15T03:53:10.228093+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50015	87.120.116.245	2400	TCP
2025-01-15T03:53:12.795521+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50016	87.120.116.245	2400	TCP
2025-01-15T03:53:15.339669+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50017	87.120.116.245	2400	TCP
2025-01-15T03:53:17.838848+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50018	87.120.116.245	2400	TCP
2025-01-15T03:53:20.330001+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50019	87.120.116.245	2400	TCP
2025-01-15T03:53:22.765924+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50020	87.120.116.245	2400	TCP
2025-01-15T03:53:25.184710+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50021	87.120.116.245	2400	TCP
2025-01-15T03:53:27.589482+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50022	87.120.116.245	2400	TCP
2025-01-15T03:53:29.966355+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50023	87.120.116.245	2400	TCP
2025-01-15T03:53:32.308965+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50024	87.120.116.245	2400	TCP
2025-01-15T03:53:34.618635+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50025	87.120.116.245	2400	TCP
2025-01-15T03:53:36.919199+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50026	87.120.116.245	2400	TCP
2025-01-15T03:53:39.214435+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50027	87.120.116.245	2400	TCP
2025-01-15T03:53:41.467620+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50028	87.120.116.245	2400	TCP
2025-01-15T03:53:43.700638+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50029	87.120.116.245	2400	TCP
2025-01-15T03:53:45.982919+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50030	87.120.116.245	2400	TCP
2025-01-15T03:53:49.186255+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50031	87.120.116.245	2400	TCP
2025-01-15T03:53:51.394333+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50032	87.120.116.245	2400	TCP
2025-01-15T03:53:53.595153+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50033	87.120.116.245	2400	TCP
2025-01-15T03:53:55.767330+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50034	87.120.116.245	2400	TCP
2025-01-15T03:53:57.909759+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50035	87.120.116.245	2400	TCP
2025-01-15T03:54:00.027576+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50036	87.120.116.245	2400	TCP
2025-01-15T03:54:02.122155+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50037	87.120.116.245	2400	TCP
2025-01-15T03:54:04.239670+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50038	87.120.116.245	2400	TCP
2025-01-15T03:54:06.288974+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50039	87.120.116.245	2400	TCP
2025-01-15T03:54:08.322137+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50040	87.120.116.245	2400	TCP
2025-01-15T03:54:10.356046+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50041	87.120.116.245	2400	TCP
2025-01-15T03:54:12.391702+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50042	87.120.116.245	2400	TCP
2025-01-15T03:54:14.407861+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50043	87.120.116.245	2400	TCP
2025-01-15T03:54:16.389946+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50044	87.120.116.245	2400	TCP
2025-01-15T03:54:18.387505+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50045	87.120.116.245	2400	TCP
2025-01-15T03:54:20.373931+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50046	87.120.116.245	2400	TCP
2025-01-15T03:54:22.357907+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50047	87.120.116.245	2400	TCP
2025-01-15T03:54:24.308993+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50048	87.120.116.245	2400	TCP
2025-01-15T03:54:26.268063+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50049	87.120.116.245	2400	TCP
2025-01-15T03:54:28.206760+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50050	87.120.116.245	2400	TCP
2025-01-15T03:54:30.159007+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50051	87.120.116.245	2400	TCP
2025-01-15T03:54:32.075397+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50052	87.120.116.245	2400	TCP
2025-01-15T03:54:33.982978+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50053	87.120.116.245	2400	TCP
2025-01-15T03:54:35.893550+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50054	87.120.116.245	2400	TCP
2025-01-15T03:54:37.780203+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50055	87.120.116.245	2400	TCP
2025-01-15T03:54:39.763136+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50056	87.120.116.245	2400	TCP
2025-01-15T03:54:41.622806+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50057	87.120.116.245	2400	TCP
2025-01-15T03:54:43.481632+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50058	87.120.116.245	2400	TCP
2025-01-15T03:54:45.327929+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50059	87.120.116.245	2400	TCP
2025-01-15T03:54:47.168931+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50060	87.120.116.245	2400	TCP
2025-01-15T03:54:48.993020+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50061	87.120.116.245	2400	TCP
2025-01-15T03:54:50.825416+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50062	87.120.116.245	2400	TCP
2025-01-15T03:54:52.690343+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50063	87.120.116.245	2400	TCP
2025-01-15T03:54:54.528868+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50064	87.120.116.245	2400	TCP
2025-01-15T03:54:56.399161+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50065	87.120.116.245	2400	TCP
2025-01-15T03:54:58.227952+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50066	87.120.116.245	2400	TCP
2025-01-15T03:55:00.032292+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50067	87.120.116.245	2400	TCP
2025-01-15T03:55:01.831851+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50068	87.120.116.245	2400	TCP
2025-01-15T03:55:03.623843+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50069	87.120.116.245	2400	TCP
2025-01-15T03:55:05.439849+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50070	87.120.116.245	2400	TCP
2025-01-15T03:55:07.213988+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50071	87.120.116.245	2400	TCP
2025-01-15T03:55:09.003871+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50072	87.120.116.245	2400	TCP
2025-01-15T03:55:10.874478+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50073	87.120.116.245	2400	TCP
2025-01-15T03:55:12.639545+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50074	87.120.116.245	2400	TCP
2025-01-15T03:55:14.389716+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50075	87.120.116.245	2400	TCP
2025-01-15T03:55:16.137728+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50076	87.120.116.245	2400	TCP
2025-01-15T03:55:17.870801+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50077	87.120.116.245	2400	TCP
2025-01-15T03:55:19.626174+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50078	87.120.116.245	2400	TCP
2025-01-15T03:55:21.391704+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50079	87.120.116.245	2400	TCP
2025-01-15T03:55:23.122189+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50080	87.120.116.245	2400	TCP
2025-01-15T03:55:24.842043+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50081	87.120.116.245	2400	TCP
2025-01-15T03:55:26.586078+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50082	87.120.116.245	2400	TCP
2025-01-15T03:55:28.309680+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50083	87.120.116.245	2400	TCP
2025-01-15T03:55:30.031959+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50084	87.120.116.245	2400	TCP
2025-01-15T03:55:31.767566+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50085	87.120.116.245	2400	TCP
2025-01-15T03:55:33.487033+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50086	87.120.116.245	2400	TCP
2025-01-15T03:55:35.219590+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50087	87.120.116.245	2400	TCP
2025-01-15T03:55:36.988072+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50088	87.120.116.245	2400	TCP
2025-01-15T03:55:38.763959+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50089	87.120.116.245	2400	TCP
2025-01-15T03:55:40.522010+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50090	87.120.116.245	2400	TCP
2025-01-15T03:55:42.288746+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	50091	87.120.116.245	2400	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000007.00000002.2193815642.0000000001397000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["87.120.116.245:2400:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-24L73B", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Remcos\remcos.exe	ReversingLabs: Detection: 68%
Source: C:\ProgramData\Remcos\remcos.exe	Virustotal: Detection: 77%			Perma Link

Multi AV Scanner detection for submitted file

Source: Material Requirments.exe	Virustotal: Detection: 77%			Perma Link
Source: Material Requirments.exe	ReversingLabs: Detection: 68%

Yara detected Remcos RAT

Source: Yara match	File source: 00000007.00000002.2193815642.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2059843569.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2278960559.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2358460692.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4498595557.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Material Requirments.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Material Requirments.exe PID: 1372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 1276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 2436, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\Remcos\remcos.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Material Requirments.exe

Joe Sandbox ML: detected

Source: Material Requirments.exe, 00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_60890792-4

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Material Requirments.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Material Requirments.exe PID: 1372, type: MEMORYSTR

Source: Material Requirments.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Material Requirments.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49712 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49708 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49711 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49713 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49720 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49732 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49714 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49753 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49769 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49785 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49804 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49822 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49837 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49856 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49873 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49892 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49910 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49926 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49943 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49961 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49978 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49996 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50004 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50007 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50005 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50003 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50009 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50006 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50011 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50015 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50012 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50014 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50010 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50019 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50022 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50023 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50020 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50016 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50018 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50017 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50025 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50021 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50024 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50030 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50028 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50033 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50038 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50031 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50040 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50037 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50029 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50035 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50034 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50036 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50013 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50044 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50039 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50041 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50043 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50026 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50050 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50046 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50051 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50048 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50054 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50032 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50052 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50042 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50049 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50055 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50059 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50045 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50058 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50065 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50067 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50066 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50057 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50072 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50063 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50062 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50061 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50053 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50069 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50027 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50075 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50068 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50071 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50047 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50076 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50070 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50077 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50079 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50056 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50078 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50080 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50083 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50082 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50074 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50064 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50085 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50091 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50086 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50081 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50089 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50073 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50060 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50084 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50087 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50090 -> 87.120.116.245:2400
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50088 -> 87.120.116.245:2400

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 87.120.116.245

Source: global traffic

TCP traffic: 192.168.2.5:49708 -> 87.120.116.245:2400

Source: Joe Sandbox View

ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG

Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.245

Source: Material Requirments.exe, 00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, Material Requirments.exe, 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Material Requirments.exe, 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: remcos.exe, 00000006.00000002.2197961974.0000000002F19000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000000A.00000002.2284053143.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2364039060.0000000003129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.

Source: Yara match	File source: 00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Material Requirments.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Material Requirments.exe PID: 1372, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000007.00000002.2193815642.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2059843569.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2278960559.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2358460692.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4498595557.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Material Requirments.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Material Requirments.exe PID: 1372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 1276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 2436, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Material Requirments.exe PID: 7156, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Material Requirments.exe PID: 1372, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: Material Requirments.exe, 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Material Requirments.exe
Source: Material Requirments.exe, 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Material Requirments.exe
Source: Material Requirments.exe, 00000000.00000002.2075574179.0000000007610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Material Requirments.exe
Source: Material Requirments.exe, 00000000.00000000.2046337274.0000000000E96000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebEab.exe@ vs Material Requirments.exe
Source: Material Requirments.exe, 00000000.00000002.2076374844.00000000080E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Material Requirments.exe
Source: Material Requirments.exe, 00000000.00000002.2058601948.00000000014C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Material Requirments.exe
Source: Material Requirments.exe, 00000000.00000002.2070300215.0000000004309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Material Requirments.exe
Source: Material Requirments.exe	Binary or memory string: OriginalFilenamebEab.exe@ vs Material Requirments.exe

Source: Material Requirments.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Material Requirments.exe PID: 7156, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Material Requirments.exe PID: 1372, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: Material Requirments.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: remcos.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@16/4@0/1

Source: C:\Users\user\Desktop\Material Requirments.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Material Requirments.exe.log

Jump to behavior

Source: C:\ProgramData\Remcos\remcos.exe	Mutant created: NULL
Source: C:\ProgramData\Remcos\remcos.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-24L73B

Source: Material Requirments.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Material Requirments.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Material Requirments.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Material Requirments.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Material Requirments.exe	Virustotal: Detection: 77%
Source: Material Requirments.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\Material Requirments.exe

File read: C:\Users\user\Desktop\Material Requirments.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Material Requirments.exe "C:\Users\user\Desktop\Material Requirments.exe"
Source: C:\Users\user\Desktop\Material Requirments.exe	Process created: C:\Users\user\Desktop\Material Requirments.exe "C:\Users\user\Desktop\Material Requirments.exe"
Source: C:\Users\user\Desktop\Material Requirments.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\Users\user\Desktop\Material Requirments.exe	Process created: C:\Users\user\Desktop\Material Requirments.exe "C:\Users\user\Desktop\Material Requirments.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: kernel.appcore.dll

Source: C:\Users\user\Desktop\Material Requirments.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Material Requirments.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Material Requirments.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Material Requirments.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Material Requirments.exe	Static PE information: section name: .text entropy: 7.831221418025935
Source: remcos.exe.3.dr	Static PE information: section name: .text entropy: 7.831221418025935

Source: C:\Users\user\Desktop\Material Requirments.exe

File created: C:\ProgramData\Remcos\remcos.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Material Requirments.exe

File created: C:\ProgramData\Remcos\remcos.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\Material Requirments.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-24L73B

Jump to behavior

Source: C:\Users\user\Desktop\Material Requirments.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-24L73B	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-24L73B	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-24L73B	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-24L73B	Jump to behavior

Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: remcos.exe PID: 1248, type: MEMORYSTR

Source: C:\Users\user\Desktop\Material Requirments.exe	Memory allocated: 16F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Memory allocated: 3300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Memory allocated: 82A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Memory allocated: 92A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Memory allocated: 9450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Memory allocated: A450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 2B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 2850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 73A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 83A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 8530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 9530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 1320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 2F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 1480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 7B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 8B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 8CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 9CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 2920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 7500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 8500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 86A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 96A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 1960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 3120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 5120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 7D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 8D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 8ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory allocated: 9ED0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Material Requirments.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\ProgramData\Remcos\remcos.exe	Window / User API: threadDelayed 3140			Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Window / User API: threadDelayed 6806			Jump to behavior

Source: C:\Users\user\Desktop\Material Requirments.exe TID: 6348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe TID: 6620	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe TID: 1200	Thread sleep count: 3140 > 30	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe TID: 1200	Thread sleep time: -9420000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe TID: 1200	Thread sleep count: 6806 > 30	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe TID: 1200	Thread sleep time: -20418000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe TID: 1684	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe TID: 4724	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe TID: 1048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Material Requirments.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: remcos.exe, 00000005.00000002.4498595557.00000000010E8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB

Source: C:\Users\user\Desktop\Material Requirments.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Material Requirments.exe	Memory written: C:\Users\user\Desktop\Material Requirments.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory written: C:\ProgramData\Remcos\remcos.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory written: C:\ProgramData\Remcos\remcos.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Memory written: C:\ProgramData\Remcos\remcos.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\Material Requirments.exe	Process created: C:\Users\user\Desktop\Material Requirments.exe "C:\Users\user\Desktop\Material Requirments.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Material Requirments.exe	Queries volume information: C:\Users\user\Desktop\Material Requirments.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Material Requirments.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\ProgramData\Remcos\remcos.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\ProgramData\Remcos\remcos.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\ProgramData\Remcos\remcos.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\ProgramData\Remcos\remcos.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Material Requirments.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 00000000.00000002.2075574179.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070300215.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Remcos RAT

Source: Yara match	File source: 00000007.00000002.2193815642.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2059843569.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2278960559.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2358460692.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4498595557.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Material Requirments.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Material Requirments.exe PID: 1372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 1276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 2436, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\Material Requirments.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-24L73B	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-24L73B	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-24L73B	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-24L73B	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-24L73B

Yara detected PureLog Stealer

Source: Yara match	File source: 00000000.00000002.2075574179.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070300215.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Remcos RAT

Source: Yara match	File source: 00000007.00000002.2193815642.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2059843569.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2278960559.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2358460692.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4498595557.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Material Requirments.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Material Requirments.exe PID: 1372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 1276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 2436, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	11 Registry Run Keys / Startup Folder	111 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Material Requirments.exe	78%	Virustotal		Browse
Material Requirments.exe	68%	ReversingLabs	Win32.Trojan.Remcos
Material Requirments.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Remcos\remcos.exe	100%	Joe Sandbox ML
C:\ProgramData\Remcos\remcos.exe	68%	ReversingLabs	Win32.Trojan.Remcos
C:\ProgramData\Remcos\remcos.exe	78%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.w3.	remcos.exe, 00000006.00000002.2197961974.0000000002F19000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000000A.00000002.2284053143.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2364039060.0000000003129000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gp/C	Material Requirments.exe, 00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, Material Requirments.exe, 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Material Requirments.exe, 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.120.116.245	unknown	Bulgaria		25206	UNACS-AS-BG8000BurgasBG	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591545
Start date and time:	2025-01-15 03:50:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Material Requirments.exe (renamed file extension from pif to exe)
Original Sample Name:	Material Requirments.pif
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@16/4@0/1
Cookbook Comments:	Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 23.1.237.91, 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:51:36	API Interceptor	1x Sleep call for process: Material Requirments.exe modified
21:51:38	API Interceptor	4850469x Sleep call for process: remcos.exe modified
21:51:40	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-24L73B "C:\ProgramData\Remcos\remcos.exe"
21:51:49	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Rmc-24L73B "C:\ProgramData\Remcos\remcos.exe"
21:51:57	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-24L73B "C:\ProgramData\Remcos\remcos.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
87.120.116.245	Material requirements_1.pif.exe	Get hash	malicious	Remcos	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNACS-AS-BG8000BurgasBG	preliminary drawing.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	87.120.127.120
	5tCuNr661k.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	5tCuNr661k.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	shaLnqmyTS.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	shaLnqmyTS.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	zAGUEDGSTM.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	WtZl31OLfA.exe	Get hash	malicious	Remcos, GuLoader	Browse	87.120.116.187
	C5Zr4LSzmp.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	C5Zr4LSzmp.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	2XnMqJW0u1.exe	Get hash	malicious	XWorm	Browse	87.120.120.15

Process:	C:\Users\user\Desktop\Material Requirments.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1005568
Entropy (8bit):	7.827484845541161
Encrypted:	false
SSDEEP:	24576:rbT8S0ck7b8crshYjBSbIBDESo13E/WFRHVJmSr39RrE:rf8S0cXcrsWtDfoFRVJvNRrE
MD5:	3A9DA3EDC40736CC832EDED3C389A661
SHA1:	F32F61FB4458696DAE4F15D82377163521E4F8B5
SHA-256:	F2418CA6E602C9470A8B6E32172432726E50B00D6E7A0EE5BD70D0172017D6C3
SHA-512:	A1E2EFE247E78CFB0AD62125C69C44200F6FC094085A570A0AD9A4FF3D0F2025EB9F0AACBE7CD7DCE46A18121C02D46FEC471A3353733A93EC49B6A81D243E95
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68% Antivirus: Virustotal, Detection: 78%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^&.g..............0..,..........K... ...`....@.. ....................................`.................................4K..O....`..\|'........................................................................... ............... ..H............text....+... ...,.................. ..`.rsrc...\|'...`...(..................@..@.reloc...............V..............@..B................hK......H........C...:......%...D~.................................................}......}.....(........}......o.......0............{........+....0............{........+....0..9.........(.........,.r...ps....z.{....o ...o!....o"...t.....+......0..9.........(.........,.r...ps....z.{....o#...o!....o"...t.....+......0..C.........($...u...........,...+(.o%...u.............,...+..o$...u.....+....0..+.........(......,.r+..ps....z..}.....(!....o&......0..8.........{.........,...+$.{

C:\ProgramData\Remcos\remcos.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Material Requirments.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Material Requirments.exe.log

Download File

Process:	C:\Users\user\Desktop\Material Requirments.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\remcos.exe.log

Download File

Process:	C:\ProgramData\Remcos\remcos.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.827484845541161
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Material Requirments.exe
File size:	1'005'568 bytes
MD5:	3a9da3edc40736cc832eded3c389a661
SHA1:	f32f61fb4458696dae4f15d82377163521e4f8b5
SHA256:	f2418ca6e602c9470a8b6e32172432726e50b00d6e7a0ee5bd70d0172017d6c3
SHA512:	a1e2efe247e78cfb0ad62125c69c44200f6fc094085a570a0ad9a4ff3d0f2025eb9f0aacbe7cd7dce46a18121c02d46fec471a3353733a93ec49b6a81d243e95
SSDEEP:	24576:rbT8S0ck7b8crshYjBSbIBDESo13E/WFRHVJmSr39RrE:rf8S0cXcrsWtDfoFRVJvNRrE
TLSH:	252512592749ED06C8D20BB098B0E3F826705FD9EA51C3039AFDBEFB7C265967418394
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^&.g..............0..,...*.......K... ...`....@.. ....................................`................................

File Icon


Icon Hash:	33362c2d36335470

Static PE Info

General

Entrypoint:	0x4f4b86
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677F265E [Thu Jan 9 01:29:02 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf4b34	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf6000	0x277c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xf2b8c	0xf2c00	0a8b8c4bd722d339244aaee111723f05	False	0.935753049369207	data	7.831221418025935	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf6000	0x277c	0x2800	4e9b0506103b0eab1b88df4722769ed0	False	0.87890625	data	7.595806949277348	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfa000	0xc	0x200	f7cd7afbc98af4aee0e8ddfc076da2a5	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xf60c8	0x2356	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9427371213796153
RT_GROUP_ICON	0xf8430	0x14	data	1.05
RT_VERSION	0xf8454	0x324	data	0.43283582089552236

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T03:51:41.530192+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49708	87.120.116.245	2400	TCP
2025-01-15T03:51:44.182556+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49711	87.120.116.245	2400	TCP
2025-01-15T03:51:46.821597+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49712	87.120.116.245	2400	TCP
2025-01-15T03:51:49.466137+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49713	87.120.116.245	2400	TCP
2025-01-15T03:51:52.102768+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49714	87.120.116.245	2400	TCP
2025-01-15T03:51:54.764998+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49720	87.120.116.245	2400	TCP
2025-01-15T03:51:57.399678+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49732	87.120.116.245	2400	TCP
2025-01-15T03:52:00.024952+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49753	87.120.116.245	2400	TCP
2025-01-15T03:52:02.668250+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49769	87.120.116.245	2400	TCP
2025-01-15T03:52:05.310210+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49785	87.120.116.245	2400	TCP
2025-01-15T03:52:07.947280+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49804	87.120.116.245	2400	TCP
2025-01-15T03:52:10.619393+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49822	87.120.116.245	2400	TCP
2025-01-15T03:52:13.247360+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49837	87.120.116.245	2400	TCP
2025-01-15T03:52:15.885829+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49856	87.120.116.245	2400	TCP
2025-01-15T03:52:18.606441+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49873	87.120.116.245	2400	TCP
2025-01-15T03:52:21.263352+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49892	87.120.116.245	2400	TCP
2025-01-15T03:52:23.901902+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49910	87.120.116.245	2400	TCP
2025-01-15T03:52:26.521560+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49926	87.120.116.245	2400	TCP
2025-01-15T03:52:29.131855+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49943	87.120.116.245	2400	TCP
2025-01-15T03:52:31.761709+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49961	87.120.116.245	2400	TCP
2025-01-15T03:52:35.322512+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49978	87.120.116.245	2400	TCP
2025-01-15T03:52:37.963143+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	49996	87.120.116.245	2400	TCP
2025-01-15T03:52:40.603701+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50003	87.120.116.245	2400	TCP
2025-01-15T03:52:43.248030+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50004	87.120.116.245	2400	TCP
2025-01-15T03:52:45.891446+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50005	87.120.116.245	2400	TCP
2025-01-15T03:52:48.505802+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50006	87.120.116.245	2400	TCP
2025-01-15T03:52:51.733895+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50007	87.120.116.245	2400	TCP
2025-01-15T03:52:54.351096+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50009	87.120.116.245	2400	TCP
2025-01-15T03:52:57.087579+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50010	87.120.116.245	2400	TCP
2025-01-15T03:52:59.733578+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50011	87.120.116.245	2400	TCP
2025-01-15T03:53:02.389514+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50012	87.120.116.245	2400	TCP
2025-01-15T03:53:05.027616+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50013	87.120.116.245	2400	TCP
2025-01-15T03:53:07.654506+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50014	87.120.116.245	2400	TCP
2025-01-15T03:53:10.228093+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50015	87.120.116.245	2400	TCP
2025-01-15T03:53:12.795521+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50016	87.120.116.245	2400	TCP
2025-01-15T03:53:15.339669+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50017	87.120.116.245	2400	TCP
2025-01-15T03:53:17.838848+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50018	87.120.116.245	2400	TCP
2025-01-15T03:53:20.330001+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50019	87.120.116.245	2400	TCP
2025-01-15T03:53:22.765924+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50020	87.120.116.245	2400	TCP
2025-01-15T03:53:25.184710+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50021	87.120.116.245	2400	TCP
2025-01-15T03:53:27.589482+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50022	87.120.116.245	2400	TCP
2025-01-15T03:53:29.966355+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50023	87.120.116.245	2400	TCP
2025-01-15T03:53:32.308965+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50024	87.120.116.245	2400	TCP
2025-01-15T03:53:34.618635+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50025	87.120.116.245	2400	TCP
2025-01-15T03:53:36.919199+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50026	87.120.116.245	2400	TCP
2025-01-15T03:53:39.214435+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50027	87.120.116.245	2400	TCP
2025-01-15T03:53:41.467620+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50028	87.120.116.245	2400	TCP
2025-01-15T03:53:43.700638+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50029	87.120.116.245	2400	TCP
2025-01-15T03:53:45.982919+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50030	87.120.116.245	2400	TCP
2025-01-15T03:53:49.186255+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50031	87.120.116.245	2400	TCP
2025-01-15T03:53:51.394333+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50032	87.120.116.245	2400	TCP
2025-01-15T03:53:53.595153+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50033	87.120.116.245	2400	TCP
2025-01-15T03:53:55.767330+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50034	87.120.116.245	2400	TCP
2025-01-15T03:53:57.909759+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50035	87.120.116.245	2400	TCP
2025-01-15T03:54:00.027576+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50036	87.120.116.245	2400	TCP
2025-01-15T03:54:02.122155+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50037	87.120.116.245	2400	TCP
2025-01-15T03:54:04.239670+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50038	87.120.116.245	2400	TCP
2025-01-15T03:54:06.288974+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50039	87.120.116.245	2400	TCP
2025-01-15T03:54:08.322137+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50040	87.120.116.245	2400	TCP
2025-01-15T03:54:10.356046+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50041	87.120.116.245	2400	TCP
2025-01-15T03:54:12.391702+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50042	87.120.116.245	2400	TCP
2025-01-15T03:54:14.407861+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50043	87.120.116.245	2400	TCP
2025-01-15T03:54:16.389946+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50044	87.120.116.245	2400	TCP
2025-01-15T03:54:18.387505+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50045	87.120.116.245	2400	TCP
2025-01-15T03:54:20.373931+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50046	87.120.116.245	2400	TCP
2025-01-15T03:54:22.357907+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50047	87.120.116.245	2400	TCP
2025-01-15T03:54:24.308993+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50048	87.120.116.245	2400	TCP
2025-01-15T03:54:26.268063+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50049	87.120.116.245	2400	TCP
2025-01-15T03:54:28.206760+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50050	87.120.116.245	2400	TCP
2025-01-15T03:54:30.159007+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50051	87.120.116.245	2400	TCP
2025-01-15T03:54:32.075397+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50052	87.120.116.245	2400	TCP
2025-01-15T03:54:33.982978+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50053	87.120.116.245	2400	TCP
2025-01-15T03:54:35.893550+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50054	87.120.116.245	2400	TCP
2025-01-15T03:54:37.780203+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50055	87.120.116.245	2400	TCP
2025-01-15T03:54:39.763136+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50056	87.120.116.245	2400	TCP
2025-01-15T03:54:41.622806+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50057	87.120.116.245	2400	TCP
2025-01-15T03:54:43.481632+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50058	87.120.116.245	2400	TCP
2025-01-15T03:54:45.327929+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50059	87.120.116.245	2400	TCP
2025-01-15T03:54:47.168931+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50060	87.120.116.245	2400	TCP
2025-01-15T03:54:48.993020+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50061	87.120.116.245	2400	TCP
2025-01-15T03:54:50.825416+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50062	87.120.116.245	2400	TCP
2025-01-15T03:54:52.690343+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50063	87.120.116.245	2400	TCP
2025-01-15T03:54:54.528868+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50064	87.120.116.245	2400	TCP
2025-01-15T03:54:56.399161+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50065	87.120.116.245	2400	TCP
2025-01-15T03:54:58.227952+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50066	87.120.116.245	2400	TCP
2025-01-15T03:55:00.032292+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50067	87.120.116.245	2400	TCP
2025-01-15T03:55:01.831851+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50068	87.120.116.245	2400	TCP
2025-01-15T03:55:03.623843+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50069	87.120.116.245	2400	TCP
2025-01-15T03:55:05.439849+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50070	87.120.116.245	2400	TCP
2025-01-15T03:55:07.213988+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50071	87.120.116.245	2400	TCP
2025-01-15T03:55:09.003871+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50072	87.120.116.245	2400	TCP
2025-01-15T03:55:10.874478+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50073	87.120.116.245	2400	TCP
2025-01-15T03:55:12.639545+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50074	87.120.116.245	2400	TCP
2025-01-15T03:55:14.389716+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50075	87.120.116.245	2400	TCP
2025-01-15T03:55:16.137728+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50076	87.120.116.245	2400	TCP
2025-01-15T03:55:17.870801+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50077	87.120.116.245	2400	TCP
2025-01-15T03:55:19.626174+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50078	87.120.116.245	2400	TCP
2025-01-15T03:55:21.391704+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50079	87.120.116.245	2400	TCP
2025-01-15T03:55:23.122189+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50080	87.120.116.245	2400	TCP
2025-01-15T03:55:24.842043+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50081	87.120.116.245	2400	TCP
2025-01-15T03:55:26.586078+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50082	87.120.116.245	2400	TCP
2025-01-15T03:55:28.309680+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50083	87.120.116.245	2400	TCP
2025-01-15T03:55:30.031959+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50084	87.120.116.245	2400	TCP
2025-01-15T03:55:31.767566+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50085	87.120.116.245	2400	TCP
2025-01-15T03:55:33.487033+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50086	87.120.116.245	2400	TCP
2025-01-15T03:55:35.219590+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50087	87.120.116.245	2400	TCP
2025-01-15T03:55:36.988072+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50088	87.120.116.245	2400	TCP
2025-01-15T03:55:38.763959+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50089	87.120.116.245	2400	TCP
2025-01-15T03:55:40.522010+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50090	87.120.116.245	2400	TCP
2025-01-15T03:55:42.288746+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.5	50091	87.120.116.245	2400	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 03:51:39.887624979 CET	49708	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:39.892580032 CET	2400	49708	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:39.892657042 CET	49708	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:39.899358034 CET	49708	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:39.904122114 CET	2400	49708	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:41.530045986 CET	2400	49708	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:41.530191898 CET	49708	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:41.554934025 CET	49708	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:41.560254097 CET	2400	49708	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:42.560043097 CET	49711	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:42.565126896 CET	2400	49711	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:42.565367937 CET	49711	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:42.570139885 CET	49711	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:42.575042009 CET	2400	49711	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:44.181293964 CET	2400	49711	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:44.182555914 CET	49711	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:44.182775021 CET	49711	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:44.187622070 CET	2400	49711	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:45.185667992 CET	49712	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:45.190659046 CET	2400	49712	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:45.190737963 CET	49712	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:45.195915937 CET	49712	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:45.200706959 CET	2400	49712	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:46.821413040 CET	2400	49712	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:46.821597099 CET	49712	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:46.821597099 CET	49712	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:46.826450109 CET	2400	49712	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:47.826100111 CET	49713	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:47.831221104 CET	2400	49713	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:47.831291914 CET	49713	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:47.835890055 CET	49713	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:47.840758085 CET	2400	49713	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:49.466053963 CET	2400	49713	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:49.466136932 CET	49713	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:49.466236115 CET	49713	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:49.470989943 CET	2400	49713	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:50.483397007 CET	49714	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:50.488414049 CET	2400	49714	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:50.488511086 CET	49714	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:50.496829987 CET	49714	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:50.501732111 CET	2400	49714	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:52.102694988 CET	2400	49714	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:52.102767944 CET	49714	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:52.102854967 CET	49714	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:52.107649088 CET	2400	49714	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:53.111651897 CET	49720	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:53.117710114 CET	2400	49720	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:53.117805958 CET	49720	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:53.123282909 CET	49720	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:53.128835917 CET	2400	49720	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:54.764748096 CET	2400	49720	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:54.764997959 CET	49720	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:54.764997959 CET	49720	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:54.769989014 CET	2400	49720	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:55.779043913 CET	49732	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:55.784090042 CET	2400	49732	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:55.784193993 CET	49732	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:55.791858912 CET	49732	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:55.796725035 CET	2400	49732	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:57.399617910 CET	2400	49732	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:57.399677992 CET	49732	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:57.399749994 CET	49732	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:57.404449940 CET	2400	49732	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:58.403886080 CET	49753	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:58.408792973 CET	2400	49753	87.120.116.245	192.168.2.5
Jan 15, 2025 03:51:58.408869982 CET	49753	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:58.412343025 CET	49753	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:51:58.417123079 CET	2400	49753	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:00.024869919 CET	2400	49753	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:00.024951935 CET	49753	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:00.025029898 CET	49753	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:00.029870033 CET	2400	49753	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:01.029887915 CET	49769	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:01.034849882 CET	2400	49769	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:01.034965038 CET	49769	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:01.039299011 CET	49769	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:01.044096947 CET	2400	49769	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:02.667424917 CET	2400	49769	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:02.668250084 CET	49769	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:02.668416023 CET	49769	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:02.674016953 CET	2400	49769	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:03.671350956 CET	49785	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:03.676202059 CET	2400	49785	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:03.676417112 CET	49785	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:03.681301117 CET	49785	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:03.686070919 CET	2400	49785	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:05.309688091 CET	2400	49785	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:05.310209990 CET	49785	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:05.310209990 CET	49785	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:05.315083027 CET	2400	49785	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:06.326056004 CET	49804	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:06.330931902 CET	2400	49804	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:06.331048012 CET	49804	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:06.335052013 CET	49804	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:06.339904070 CET	2400	49804	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:07.947192907 CET	2400	49804	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:07.947279930 CET	49804	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:07.948820114 CET	49804	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:07.953602076 CET	2400	49804	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:08.967828989 CET	49822	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:08.972650051 CET	2400	49822	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:08.972714901 CET	49822	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:08.976775885 CET	49822	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:08.981614113 CET	2400	49822	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:10.619218111 CET	2400	49822	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:10.619393110 CET	49822	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:10.619393110 CET	49822	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:10.627999067 CET	2400	49822	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:11.622724056 CET	49837	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:11.627589941 CET	2400	49837	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:11.627657890 CET	49837	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:11.631586075 CET	49837	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:11.636346102 CET	2400	49837	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:13.244355917 CET	2400	49837	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:13.247359991 CET	49837	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:13.255080938 CET	49837	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:13.259893894 CET	2400	49837	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:14.263339996 CET	49856	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:14.268332005 CET	2400	49856	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:14.268399000 CET	49856	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:14.272384882 CET	49856	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:14.277324915 CET	2400	49856	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:15.885735989 CET	2400	49856	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:15.885828972 CET	49856	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:15.885883093 CET	49856	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:15.890737057 CET	2400	49856	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:16.966275930 CET	49873	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:16.971118927 CET	2400	49873	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:16.971199036 CET	49873	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:16.975138903 CET	49873	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:16.979989052 CET	2400	49873	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:18.603794098 CET	2400	49873	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:18.606441021 CET	49873	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:18.606592894 CET	49873	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:18.611397982 CET	2400	49873	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:19.622417927 CET	49892	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:19.627326965 CET	2400	49892	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:19.627407074 CET	49892	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:19.630639076 CET	49892	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:19.635481119 CET	2400	49892	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:21.263272047 CET	2400	49892	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:21.263351917 CET	49892	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:21.263662100 CET	49892	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:21.268484116 CET	2400	49892	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:22.278687954 CET	49910	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:22.283591986 CET	2400	49910	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:22.283673048 CET	49910	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:22.287241936 CET	49910	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:22.291996956 CET	2400	49910	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:23.901809931 CET	2400	49910	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:23.901901960 CET	49910	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:23.901997089 CET	49910	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:23.906793118 CET	2400	49910	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:24.903568983 CET	49926	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:24.908570051 CET	2400	49926	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:24.908643961 CET	49926	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:24.912511110 CET	49926	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:24.917602062 CET	2400	49926	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:26.521491051 CET	2400	49926	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:26.521559954 CET	49926	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:26.521635056 CET	49926	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:26.526464939 CET	2400	49926	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:27.528621912 CET	49943	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:27.533487082 CET	2400	49943	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:27.533576965 CET	49943	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:27.537159920 CET	49943	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:27.542006016 CET	2400	49943	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:29.131794930 CET	2400	49943	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:29.131855011 CET	49943	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:29.131922960 CET	49943	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:29.136720896 CET	2400	49943	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:30.138175964 CET	49961	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:30.143028975 CET	2400	49961	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:30.143105984 CET	49961	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:30.147356033 CET	49961	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:30.152187109 CET	2400	49961	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:31.761476994 CET	2400	49961	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:31.761708975 CET	49961	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:31.761708975 CET	49961	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:31.766854048 CET	2400	49961	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:32.763113976 CET	49978	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:33.620208025 CET	2400	49978	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:33.620331049 CET	49978	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:33.624475956 CET	49978	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:33.630202055 CET	2400	49978	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:35.322442055 CET	2400	49978	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:35.322511911 CET	49978	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:35.322583914 CET	49978	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:35.327405930 CET	2400	49978	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:36.325546026 CET	49996	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:36.330434084 CET	2400	49996	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:36.330585957 CET	49996	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:36.334835052 CET	49996	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:36.339610100 CET	2400	49996	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:37.962990046 CET	2400	49996	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:37.963143110 CET	49996	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:37.963233948 CET	49996	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:37.968120098 CET	2400	49996	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:38.966269016 CET	50003	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:38.971194029 CET	2400	50003	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:38.971427917 CET	50003	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:38.974608898 CET	50003	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:38.979393005 CET	2400	50003	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:40.603384018 CET	2400	50003	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:40.603701115 CET	50003	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:40.603701115 CET	50003	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:40.608613968 CET	2400	50003	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:41.608619928 CET	50004	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:41.613780022 CET	2400	50004	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:41.613917112 CET	50004	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:41.629578114 CET	50004	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:41.634504080 CET	2400	50004	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:43.247955084 CET	2400	50004	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:43.248029947 CET	50004	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:43.248105049 CET	50004	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:43.252911091 CET	2400	50004	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:44.263294935 CET	50005	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:44.268371105 CET	2400	50005	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:44.268480062 CET	50005	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:44.272213936 CET	50005	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:44.277033091 CET	2400	50005	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:45.885869980 CET	2400	50005	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:45.891446114 CET	50005	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:45.891529083 CET	50005	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:45.896416903 CET	2400	50005	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:46.903889894 CET	50006	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:46.908830881 CET	2400	50006	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:46.909070015 CET	50006	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:46.912787914 CET	50006	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:46.917603970 CET	2400	50006	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:48.505738020 CET	2400	50006	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:48.505801916 CET	50006	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:48.505881071 CET	50006	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:48.510631084 CET	2400	50006	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:49.513115883 CET	50007	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:49.518166065 CET	2400	50007	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:49.519454002 CET	50007	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:49.522996902 CET	50007	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:49.533293962 CET	2400	50007	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:51.733686924 CET	2400	50007	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:51.733819008 CET	2400	50007	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:51.733895063 CET	50007	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:51.733895063 CET	50007	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:51.733895063 CET	50007	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:51.733930111 CET	2400	50007	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:51.733978033 CET	50007	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:51.742316961 CET	2400	50007	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:52.747641087 CET	50009	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:52.752504110 CET	2400	50009	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:52.752669096 CET	50009	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:52.755925894 CET	50009	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:52.760741949 CET	2400	50009	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:54.350965977 CET	2400	50009	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:54.351095915 CET	50009	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:54.351095915 CET	50009	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:54.355946064 CET	2400	50009	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:55.356990099 CET	50010	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:55.361897945 CET	2400	50010	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:55.361988068 CET	50010	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:55.367078066 CET	50010	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:55.371887922 CET	2400	50010	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:57.086702108 CET	2400	50010	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:57.087579012 CET	50010	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:57.087579012 CET	50010	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:57.092649937 CET	2400	50010	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:58.100378036 CET	50011	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:58.105489016 CET	2400	50011	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:58.111521006 CET	50011	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:58.114799023 CET	50011	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:58.119801998 CET	2400	50011	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:59.732496977 CET	2400	50011	87.120.116.245	192.168.2.5
Jan 15, 2025 03:52:59.733577967 CET	50011	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:59.733577967 CET	50011	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:52:59.738574028 CET	2400	50011	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:00.748502016 CET	50012	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:00.753472090 CET	2400	50012	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:00.753551960 CET	50012	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:00.760159016 CET	50012	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:00.765002966 CET	2400	50012	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:02.389414072 CET	2400	50012	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:02.389513969 CET	50012	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:02.389558077 CET	50012	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:02.394473076 CET	2400	50012	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:03.414877892 CET	50013	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:03.419929028 CET	2400	50013	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:03.420044899 CET	50013	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:03.448537111 CET	50013	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:03.453552008 CET	2400	50013	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:05.024549961 CET	2400	50013	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:05.027616024 CET	50013	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:05.027667046 CET	50013	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:05.032614946 CET	2400	50013	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:06.028801918 CET	50014	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:06.033941984 CET	2400	50014	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:06.035521984 CET	50014	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:06.038803101 CET	50014	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:06.043692112 CET	2400	50014	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:07.653199911 CET	2400	50014	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:07.654505968 CET	50014	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:07.654577971 CET	50014	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:07.660968065 CET	2400	50014	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:08.622721910 CET	50015	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:08.627871990 CET	2400	50015	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:08.627950907 CET	50015	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:08.631299019 CET	50015	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:08.636167049 CET	2400	50015	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:10.227699995 CET	2400	50015	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:10.228092909 CET	50015	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:10.228138924 CET	50015	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:10.232928991 CET	2400	50015	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:11.169373035 CET	50016	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:11.174628019 CET	2400	50016	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:11.175515890 CET	50016	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:11.179758072 CET	50016	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:11.184741020 CET	2400	50016	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:12.792376041 CET	2400	50016	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:12.795521021 CET	50016	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:12.795567036 CET	50016	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:12.800451994 CET	2400	50016	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:13.700833082 CET	50017	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:13.705948114 CET	2400	50017	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:13.706154108 CET	50017	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:13.709333897 CET	50017	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:13.716331959 CET	2400	50017	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:15.338824987 CET	2400	50017	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:15.339668989 CET	50017	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:15.339669943 CET	50017	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:15.345407009 CET	2400	50017	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:16.216301918 CET	50018	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:16.221323013 CET	2400	50018	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:16.221390009 CET	50018	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:16.224464893 CET	50018	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:16.229247093 CET	2400	50018	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:17.838774920 CET	2400	50018	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:17.838848114 CET	50018	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:17.838917017 CET	50018	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:17.843724966 CET	2400	50018	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:18.685039997 CET	50019	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:18.689964056 CET	2400	50019	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:18.690488100 CET	50019	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:18.693586111 CET	50019	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:18.698381901 CET	2400	50019	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:20.327106953 CET	2400	50019	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:20.330001116 CET	50019	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:20.330001116 CET	50019	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:20.335220098 CET	2400	50019	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:21.154042959 CET	50020	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:21.159142971 CET	2400	50020	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:21.159223080 CET	50020	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:21.163883924 CET	50020	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:21.168759108 CET	2400	50020	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:22.765851021 CET	2400	50020	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:22.765923977 CET	50020	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:22.765964031 CET	50020	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:22.772063017 CET	2400	50020	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:23.560164928 CET	50021	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:23.565356970 CET	2400	50021	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:23.565490961 CET	50021	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:23.569354057 CET	50021	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:23.574234962 CET	2400	50021	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:25.184643984 CET	2400	50021	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:25.184710026 CET	50021	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:25.184915066 CET	50021	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:25.189663887 CET	2400	50021	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:25.950820923 CET	50022	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:25.955919027 CET	2400	50022	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:25.956110001 CET	50022	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:25.965629101 CET	50022	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:25.970499039 CET	2400	50022	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:27.589265108 CET	2400	50022	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:27.589482069 CET	50022	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:27.592761993 CET	50022	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:27.597706079 CET	2400	50022	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:28.341316938 CET	50023	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:28.346225023 CET	2400	50023	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:28.346411943 CET	50023	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:28.350202084 CET	50023	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:28.355027914 CET	2400	50023	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:29.966259956 CET	2400	50023	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:29.966355085 CET	50023	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:29.966443062 CET	50023	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:29.971286058 CET	2400	50023	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:30.685044050 CET	50024	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:30.690155983 CET	2400	50024	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:30.695563078 CET	50024	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:30.699059963 CET	50024	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:30.703840971 CET	2400	50024	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:32.308895111 CET	2400	50024	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:32.308964968 CET	50024	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:32.309161901 CET	50024	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:32.313967943 CET	2400	50024	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:33.013463974 CET	50025	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:33.018280029 CET	2400	50025	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:33.018342018 CET	50025	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:33.023926020 CET	50025	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:33.028846025 CET	2400	50025	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:34.618515015 CET	2400	50025	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:34.618634939 CET	50025	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:34.618634939 CET	50025	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:34.623383999 CET	2400	50025	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:35.300780058 CET	50026	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:35.305953026 CET	2400	50026	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:35.306039095 CET	50026	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:35.309088945 CET	50026	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:35.314146042 CET	2400	50026	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:36.916996956 CET	2400	50026	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:36.919198990 CET	50026	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:36.919248104 CET	50026	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:36.924133062 CET	2400	50026	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:37.575823069 CET	50027	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:37.580775023 CET	2400	50027	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:37.580861092 CET	50027	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:37.584383965 CET	50027	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:37.589226961 CET	2400	50027	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:39.214379072 CET	2400	50027	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:39.214435101 CET	50027	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:39.214485884 CET	50027	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:39.219327927 CET	2400	50027	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:39.841360092 CET	50028	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:39.847568035 CET	2400	50028	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:39.847645998 CET	50028	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:39.852896929 CET	50028	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:39.859141111 CET	2400	50028	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:41.465137959 CET	2400	50028	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:41.467619896 CET	50028	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:41.467619896 CET	50028	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:41.472485065 CET	2400	50028	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:42.075768948 CET	50029	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:42.080869913 CET	2400	50029	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:42.080946922 CET	50029	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:42.086708069 CET	50029	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:42.091598988 CET	2400	50029	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:43.700540066 CET	2400	50029	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:43.700638056 CET	50029	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:43.700679064 CET	50029	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:43.705543995 CET	2400	50029	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:44.294456005 CET	50030	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:44.299465895 CET	2400	50030	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:44.299601078 CET	50030	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:44.302773952 CET	50030	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:44.307693958 CET	2400	50030	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:45.982296944 CET	2400	50030	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:45.982918978 CET	50030	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:45.982969999 CET	50030	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:45.987905979 CET	2400	50030	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:46.560084105 CET	50031	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:46.565035105 CET	2400	50031	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:46.565677881 CET	50031	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:46.569010973 CET	50031	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:46.573832989 CET	2400	50031	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:49.186177015 CET	2400	50031	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:49.186254978 CET	50031	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:49.186332941 CET	50031	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:49.187513113 CET	2400	50031	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:49.187572956 CET	50031	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:49.187736988 CET	2400	50031	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:49.187771082 CET	50031	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:49.187937975 CET	2400	50031	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:49.191391945 CET	2400	50031	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:49.191437960 CET	50031	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:49.732072115 CET	50032	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:49.737052917 CET	2400	50032	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:49.737193108 CET	50032	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:49.742924929 CET	50032	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:49.747857094 CET	2400	50032	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:51.394232988 CET	2400	50032	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:51.394332886 CET	50032	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:51.394332886 CET	50032	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:51.403403997 CET	2400	50032	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:51.935236931 CET	50033	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:51.940677881 CET	2400	50033	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:51.943650007 CET	50033	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:51.947011948 CET	50033	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:51.951822996 CET	2400	50033	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:53.595062017 CET	2400	50033	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:53.595153093 CET	50033	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:53.595223904 CET	50033	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:53.600364923 CET	2400	50033	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:54.107130051 CET	50034	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:54.112708092 CET	2400	50034	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:54.112858057 CET	50034	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:54.116178989 CET	50034	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:54.121772051 CET	2400	50034	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:55.767235041 CET	2400	50034	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:55.767329931 CET	50034	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:55.767376900 CET	50034	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:55.772139072 CET	2400	50034	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:56.263555050 CET	50035	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:56.268882990 CET	2400	50035	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:56.268960953 CET	50035	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:56.299731970 CET	50035	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:56.304677010 CET	2400	50035	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:57.907871008 CET	2400	50035	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:57.909759045 CET	50035	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:57.909759045 CET	50035	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:57.914881945 CET	2400	50035	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:58.389343023 CET	50036	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:58.395651102 CET	2400	50036	87.120.116.245	192.168.2.5
Jan 15, 2025 03:53:58.395735025 CET	50036	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:58.399771929 CET	50036	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:53:58.405868053 CET	2400	50036	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:00.027517080 CET	2400	50036	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:00.027575970 CET	50036	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:00.027631998 CET	50036	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:00.032394886 CET	2400	50036	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:00.497616053 CET	50037	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:00.502434969 CET	2400	50037	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:00.502552986 CET	50037	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:00.505917072 CET	50037	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:00.510704041 CET	2400	50037	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:02.121262074 CET	2400	50037	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:02.122154951 CET	50037	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:02.122154951 CET	50037	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:02.127099037 CET	2400	50037	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:02.575753927 CET	50038	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:02.580761909 CET	2400	50038	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:02.582309961 CET	50038	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:02.585442066 CET	50038	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:02.590312958 CET	2400	50038	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:04.235830069 CET	2400	50038	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:04.239670038 CET	50038	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:04.239820957 CET	50038	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:04.244604111 CET	2400	50038	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:04.669507980 CET	50039	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:04.674559116 CET	2400	50039	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:04.674783945 CET	50039	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:04.677746058 CET	50039	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:04.682559967 CET	2400	50039	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:06.288856030 CET	2400	50039	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:06.288974047 CET	50039	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:06.289057016 CET	50039	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:06.293843031 CET	2400	50039	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:06.716336012 CET	50040	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:06.721374989 CET	2400	50040	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:06.723459005 CET	50040	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:06.726536989 CET	50040	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:06.731379986 CET	2400	50040	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:08.321971893 CET	2400	50040	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:08.322137117 CET	50040	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:08.322138071 CET	50040	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:08.328243971 CET	2400	50040	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:08.732110977 CET	50041	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:08.737550020 CET	2400	50041	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:08.739687920 CET	50041	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:08.742873907 CET	50041	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:08.748142958 CET	2400	50041	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:10.355803967 CET	2400	50041	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:10.356045961 CET	50041	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:10.356045961 CET	50041	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:10.360858917 CET	2400	50041	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:10.747776031 CET	50042	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:10.752770901 CET	2400	50042	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:10.752875090 CET	50042	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:10.756283045 CET	50042	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:10.761192083 CET	2400	50042	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:12.391575098 CET	2400	50042	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:12.391701937 CET	50042	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:12.391792059 CET	50042	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:12.396647930 CET	2400	50042	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:12.779082060 CET	50043	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:12.784079075 CET	2400	50043	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:12.787702084 CET	50043	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:12.790811062 CET	50043	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:12.795653105 CET	2400	50043	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:14.404499054 CET	2400	50043	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:14.407860994 CET	50043	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:14.407860994 CET	50043	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:14.412813902 CET	2400	50043	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:14.778969049 CET	50044	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:14.784018040 CET	2400	50044	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:14.784125090 CET	50044	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:14.787795067 CET	50044	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:14.792612076 CET	2400	50044	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:16.386915922 CET	2400	50044	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:16.389945984 CET	50044	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:16.389945984 CET	50044	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:16.394963026 CET	2400	50044	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:16.747782946 CET	50045	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:16.753058910 CET	2400	50045	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:16.753189087 CET	50045	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:16.757654905 CET	50045	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:16.762584925 CET	2400	50045	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:18.387382030 CET	2400	50045	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:18.387505054 CET	50045	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:18.387506008 CET	50045	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:18.392456055 CET	2400	50045	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:18.732280970 CET	50046	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:18.737237930 CET	2400	50046	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:18.737325907 CET	50046	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:18.740653992 CET	50046	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:18.745511055 CET	2400	50046	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:20.373851061 CET	2400	50046	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:20.373930931 CET	50046	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:20.373975039 CET	50046	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:20.379355907 CET	2400	50046	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:20.716590881 CET	50047	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:20.721813917 CET	2400	50047	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:20.721913099 CET	50047	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:20.725615025 CET	50047	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:20.730515957 CET	2400	50047	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:22.357832909 CET	2400	50047	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:22.357907057 CET	50047	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:22.357949972 CET	50047	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:22.362857103 CET	2400	50047	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:22.685194969 CET	50048	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:22.690181017 CET	2400	50048	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:22.690296888 CET	50048	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:22.693368912 CET	50048	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:22.698165894 CET	2400	50048	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:24.308871031 CET	2400	50048	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:24.308993101 CET	50048	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:24.309086084 CET	50048	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:24.314014912 CET	2400	50048	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:24.622760057 CET	50049	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:24.627739906 CET	2400	50049	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:24.627844095 CET	50049	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:24.631268024 CET	50049	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:24.636033058 CET	2400	50049	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:26.267839909 CET	2400	50049	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:26.268063068 CET	50049	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:26.268063068 CET	50049	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:26.273015022 CET	2400	50049	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:26.575980902 CET	50050	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:26.580981970 CET	2400	50050	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:26.581059933 CET	50050	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:26.584379911 CET	50050	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:26.589261055 CET	2400	50050	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:28.202774048 CET	2400	50050	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:28.206759930 CET	50050	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:28.206799984 CET	50050	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:28.212609053 CET	2400	50050	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:28.521972895 CET	50051	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:28.527053118 CET	2400	50051	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:28.529779911 CET	50051	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:28.532515049 CET	50051	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:28.537370920 CET	2400	50051	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:30.158761024 CET	2400	50051	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:30.159007072 CET	50051	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:30.159091949 CET	50051	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:30.163970947 CET	2400	50051	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:30.451181889 CET	50052	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:30.456335068 CET	2400	50052	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:30.456413031 CET	50052	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:30.459131002 CET	50052	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:30.464034081 CET	2400	50052	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:32.075325966 CET	2400	50052	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:32.075397015 CET	50052	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:32.075489998 CET	50052	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:32.080204964 CET	2400	50052	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:32.357075930 CET	50053	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:32.362011909 CET	2400	50053	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:32.362086058 CET	50053	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:32.365323067 CET	50053	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:32.370141029 CET	2400	50053	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:33.982827902 CET	2400	50053	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:33.982978106 CET	50053	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:33.985513926 CET	50053	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:33.990245104 CET	2400	50053	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:34.247692108 CET	50054	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:34.252532005 CET	2400	50054	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:34.252597094 CET	50054	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:34.257028103 CET	50054	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:34.261838913 CET	2400	50054	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:35.893475056 CET	2400	50054	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:35.893549919 CET	50054	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:35.893696070 CET	50054	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:35.898463964 CET	2400	50054	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:36.154032946 CET	50055	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:36.159101009 CET	2400	50055	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:36.159195900 CET	50055	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:36.162338018 CET	50055	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:36.167211056 CET	2400	50055	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:37.780138016 CET	2400	50055	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:37.780203104 CET	50055	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:37.780292034 CET	50055	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:37.785137892 CET	2400	50055	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:38.028949976 CET	50056	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:38.033977985 CET	2400	50056	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:38.034056902 CET	50056	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:38.037231922 CET	50056	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:38.042032957 CET	2400	50056	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:39.763019085 CET	2400	50056	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:39.763135910 CET	50056	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:39.763278961 CET	50056	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:39.768104076 CET	2400	50056	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:39.997901917 CET	50057	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:40.002899885 CET	2400	50057	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:40.002996922 CET	50057	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:40.027204990 CET	50057	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:40.032192945 CET	2400	50057	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:41.622622013 CET	2400	50057	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:41.622806072 CET	50057	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:41.622848034 CET	50057	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:41.627795935 CET	2400	50057	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:41.857528925 CET	50058	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:41.862818956 CET	2400	50058	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:41.862903118 CET	50058	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:41.867451906 CET	50058	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:41.872369051 CET	2400	50058	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:43.481548071 CET	2400	50058	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:43.481631994 CET	50058	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:43.481728077 CET	50058	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:43.486515999 CET	2400	50058	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:43.701050043 CET	50059	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:43.706279039 CET	2400	50059	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:43.706572056 CET	50059	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:43.711221933 CET	50059	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:43.716084003 CET	2400	50059	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:45.326790094 CET	2400	50059	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:45.327929020 CET	50059	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:45.327929020 CET	50059	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:45.332947969 CET	2400	50059	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:45.544681072 CET	50060	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:45.549720049 CET	2400	50060	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:45.551800966 CET	50060	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:45.583885908 CET	50060	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:45.588820934 CET	2400	50060	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:47.168848991 CET	2400	50060	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:47.168931007 CET	50060	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:47.168988943 CET	50060	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:47.173877001 CET	2400	50060	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:47.388330936 CET	50061	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:47.393177986 CET	2400	50061	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:47.395811081 CET	50061	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:47.398612976 CET	50061	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:47.403495073 CET	2400	50061	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:48.992875099 CET	2400	50061	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:48.993020058 CET	50061	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:48.993072987 CET	50061	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:48.998028040 CET	2400	50061	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:49.201406956 CET	50062	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:49.206449032 CET	2400	50062	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:49.206540108 CET	50062	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:49.209678888 CET	50062	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:49.214576006 CET	2400	50062	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:50.825323105 CET	2400	50062	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:50.825416088 CET	50062	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:50.825562954 CET	50062	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:50.830405951 CET	2400	50062	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:51.038552999 CET	50063	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:51.043641090 CET	2400	50063	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:51.043813944 CET	50063	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:51.085232973 CET	50063	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:51.090101004 CET	2400	50063	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:52.690262079 CET	2400	50063	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:52.690342903 CET	50063	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:52.690411091 CET	50063	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:52.695288897 CET	2400	50063	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:52.888410091 CET	50064	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:52.893672943 CET	2400	50064	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:52.895823956 CET	50064	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:52.900378942 CET	50064	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:52.905347109 CET	2400	50064	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:54.528774977 CET	2400	50064	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:54.528867960 CET	50064	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:54.528961897 CET	50064	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:54.533875942 CET	2400	50064	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:54.716695070 CET	50065	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:54.721872091 CET	2400	50065	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:54.722026110 CET	50065	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:54.724905014 CET	50065	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:54.729724884 CET	2400	50065	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:56.399091005 CET	2400	50065	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:56.399161100 CET	50065	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:56.399204969 CET	50065	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:56.404109955 CET	2400	50065	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:56.605515003 CET	50066	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:56.610723019 CET	2400	50066	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:56.610852003 CET	50066	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:56.624476910 CET	50066	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:56.629551888 CET	2400	50066	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:58.227781057 CET	2400	50066	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:58.227952003 CET	50066	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:58.227952003 CET	50066	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:58.233057022 CET	2400	50066	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:58.404203892 CET	50067	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:58.410361052 CET	2400	50067	87.120.116.245	192.168.2.5
Jan 15, 2025 03:54:58.410438061 CET	50067	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:58.413337946 CET	50067	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:54:58.418263912 CET	2400	50067	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:00.032193899 CET	2400	50067	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:00.032291889 CET	50067	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:00.032350063 CET	50067	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:00.037277937 CET	2400	50067	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:00.200984001 CET	50068	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:00.206115007 CET	2400	50068	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:00.206223965 CET	50068	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:00.209028006 CET	50068	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:00.214072943 CET	2400	50068	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:01.827883005 CET	2400	50068	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:01.831851006 CET	50068	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:01.832036018 CET	50068	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:01.836822987 CET	2400	50068	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:01.999722004 CET	50069	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:02.004717112 CET	2400	50069	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:02.004808903 CET	50069	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:02.041430950 CET	50069	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:02.046505928 CET	2400	50069	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:03.622179985 CET	2400	50069	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:03.623842955 CET	50069	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:03.623894930 CET	50069	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:03.628665924 CET	2400	50069	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:03.779160023 CET	50070	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:03.785923958 CET	2400	50070	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:03.787853956 CET	50070	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:03.791026115 CET	50070	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:03.797780991 CET	2400	50070	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:05.437798023 CET	2400	50070	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:05.439848900 CET	50070	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:05.439909935 CET	50070	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:05.444716930 CET	2400	50070	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:05.591481924 CET	50071	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:05.596373081 CET	2400	50071	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:05.599836111 CET	50071	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:05.603212118 CET	50071	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:05.608033895 CET	2400	50071	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:07.212317944 CET	2400	50071	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:07.213988066 CET	50071	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:07.213988066 CET	50071	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:07.218887091 CET	2400	50071	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:07.357434988 CET	50072	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:07.362371922 CET	2400	50072	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:07.366002083 CET	50072	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:07.369039059 CET	50072	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:07.373780012 CET	2400	50072	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:09.001050949 CET	2400	50072	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:09.003870964 CET	50072	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:09.003923893 CET	50072	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:09.009092093 CET	2400	50072	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:09.154021025 CET	50073	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:09.158968925 CET	2400	50073	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:09.159895897 CET	50073	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:09.162662029 CET	50073	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:09.167471886 CET	2400	50073	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:10.874296904 CET	2400	50073	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:10.874478102 CET	50073	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:10.874568939 CET	50073	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:10.879697084 CET	2400	50073	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:11.013472080 CET	50074	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:11.019763947 CET	2400	50074	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:11.019877911 CET	50074	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:11.024640083 CET	50074	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:11.030613899 CET	2400	50074	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:12.639420986 CET	2400	50074	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:12.639544964 CET	50074	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:12.639635086 CET	50074	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:12.644498110 CET	2400	50074	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:12.779350996 CET	50075	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:12.784466028 CET	2400	50075	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:12.784571886 CET	50075	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:12.788007021 CET	50075	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:12.792833090 CET	2400	50075	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:14.389496088 CET	2400	50075	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:14.389715910 CET	50075	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:14.389811993 CET	50075	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:14.394599915 CET	2400	50075	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:14.513362885 CET	50076	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:14.518836021 CET	2400	50076	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:14.518958092 CET	50076	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:14.524168015 CET	50076	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:14.530190945 CET	2400	50076	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:16.137581110 CET	2400	50076	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:16.137727976 CET	50076	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:16.137797117 CET	50076	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:16.142611980 CET	2400	50076	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:16.263614893 CET	50077	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:16.268656015 CET	2400	50077	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:16.268767118 CET	50077	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:16.273442984 CET	50077	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:16.278198957 CET	2400	50077	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:17.869096994 CET	2400	50077	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:17.870800972 CET	50077	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:17.870871067 CET	50077	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:17.875617027 CET	2400	50077	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:17.998106003 CET	50078	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:18.003195047 CET	2400	50078	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:18.003326893 CET	50078	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:18.006145954 CET	50078	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:18.011264086 CET	2400	50078	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:19.622822046 CET	2400	50078	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:19.626173973 CET	50078	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:19.626174927 CET	50078	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:19.631177902 CET	2400	50078	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:19.748030901 CET	50079	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:19.753706932 CET	2400	50079	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:19.754786968 CET	50079	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:19.758531094 CET	50079	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:19.763411045 CET	2400	50079	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:21.391096115 CET	2400	50079	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:21.391704082 CET	50079	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:21.391813040 CET	50079	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:21.397861958 CET	2400	50079	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:21.513592958 CET	50080	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:21.518620968 CET	2400	50080	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:21.524002075 CET	50080	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:21.527396917 CET	50080	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:21.532255888 CET	2400	50080	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:23.120637894 CET	2400	50080	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:23.122189045 CET	50080	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:23.122189045 CET	50080	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:23.127031088 CET	2400	50080	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:23.232224941 CET	50081	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:23.237108946 CET	2400	50081	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:23.237247944 CET	50081	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:23.241126060 CET	50081	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:23.245954990 CET	2400	50081	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:24.841757059 CET	2400	50081	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:24.842042923 CET	50081	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:24.842042923 CET	50081	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:24.847394943 CET	2400	50081	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:24.951096058 CET	50082	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:24.959372044 CET	2400	50082	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:24.959948063 CET	50082	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:24.963222980 CET	50082	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:24.971354008 CET	2400	50082	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:26.582779884 CET	2400	50082	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:26.586077929 CET	50082	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:26.586078882 CET	50082	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:26.593146086 CET	2400	50082	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:26.685417891 CET	50083	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:26.690844059 CET	2400	50083	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:26.691948891 CET	50083	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:26.694700003 CET	50083	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:26.699640989 CET	2400	50083	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:28.309597015 CET	2400	50083	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:28.309679985 CET	50083	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:28.309765100 CET	50083	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:28.315850973 CET	2400	50083	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:28.404099941 CET	50084	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:28.409734011 CET	2400	50084	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:28.409969091 CET	50084	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:28.414505005 CET	50084	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:28.419281960 CET	2400	50084	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:30.030894995 CET	2400	50084	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:30.031959057 CET	50084	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:30.032002926 CET	50084	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:30.038157940 CET	2400	50084	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:30.124927998 CET	50085	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:30.129956961 CET	2400	50085	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:30.130044937 CET	50085	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:30.134696007 CET	50085	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:30.140866995 CET	2400	50085	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:31.767455101 CET	2400	50085	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:31.767565966 CET	50085	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:31.767769098 CET	50085	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:31.772578001 CET	2400	50085	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:31.857196093 CET	50086	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:31.862921953 CET	2400	50086	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:31.863042116 CET	50086	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:31.867083073 CET	50086	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:31.871897936 CET	2400	50086	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:33.484049082 CET	2400	50086	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:33.487032890 CET	50086	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:33.487032890 CET	50086	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:33.491924047 CET	2400	50086	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:33.582772017 CET	50087	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:33.587733030 CET	2400	50087	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:33.591948986 CET	50087	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:33.594775915 CET	50087	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:33.599524975 CET	2400	50087	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:35.219496965 CET	2400	50087	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:35.219589949 CET	50087	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:35.219635963 CET	50087	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:35.224566936 CET	2400	50087	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:35.310647964 CET	50088	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:35.315835953 CET	2400	50088	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:35.315963030 CET	50088	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:35.322700024 CET	50088	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:35.327791929 CET	2400	50088	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:36.984747887 CET	2400	50088	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:36.988071918 CET	50088	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:36.988071918 CET	50088	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:36.993027925 CET	2400	50088	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:37.075953007 CET	50089	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:37.083456039 CET	2400	50089	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:37.083561897 CET	50089	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:37.086358070 CET	50089	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:37.093367100 CET	2400	50089	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:38.763859034 CET	2400	50089	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:38.763958931 CET	50089	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:38.764059067 CET	50089	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:38.768958092 CET	2400	50089	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:38.841721058 CET	50090	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:38.847469091 CET	2400	50090	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:38.847569942 CET	50090	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:38.850686073 CET	50090	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:38.855540991 CET	2400	50090	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:40.519629955 CET	2400	50090	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:40.522010088 CET	50090	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:40.522097111 CET	50090	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:40.526983976 CET	2400	50090	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:40.607125044 CET	50091	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:40.612328053 CET	2400	50091	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:40.612405062 CET	50091	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:40.615199089 CET	50091	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:40.620228052 CET	2400	50091	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:42.288414955 CET	2400	50091	87.120.116.245	192.168.2.5
Jan 15, 2025 03:55:42.288746119 CET	50091	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:42.288746119 CET	50091	2400	192.168.2.5	87.120.116.245
Jan 15, 2025 03:55:42.293729067 CET	2400	50091	87.120.116.245	192.168.2.5

Target ID:	0
Start time:	21:51:35
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\Material Requirments.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Material Requirments.exe"
Imagebase:	0xda0000
File size:	1'005'568 bytes
MD5 hash:	3A9DA3EDC40736CC832EDED3C389A661
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2075574179.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2070300215.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2070300215.0000000004309000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2070300215.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:51:36
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\Material Requirments.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Material Requirments.exe"
Imagebase:	0xa40000
File size:	1'005'568 bytes
MD5 hash:	3A9DA3EDC40736CC832EDED3C389A661
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2059843569.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.2059348662.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:51:37
Start date:	14/01/2025
Path:	C:\ProgramData\Remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Remcos\remcos.exe"
Imagebase:	0x4b0000
File size:	1'005'568 bytes
MD5 hash:	3A9DA3EDC40736CC832EDED3C389A661
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs Detection: 78%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:51:38
Start date:	14/01/2025
Path:	C:\ProgramData\Remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Remcos\remcos.exe"
Imagebase:	0x960000
File size:	1'005'568 bytes
MD5 hash:	3A9DA3EDC40736CC832EDED3C389A661
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4498595557.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	21:51:49
Start date:	14/01/2025
Path:	C:\ProgramData\Remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Remcos\remcos.exe"
Imagebase:	0xb10000
File size:	1'005'568 bytes
MD5 hash:	3A9DA3EDC40736CC832EDED3C389A661
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:51:50
Start date:	14/01/2025
Path:	C:\ProgramData\Remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Remcos\remcos.exe"
Imagebase:	0xb70000
File size:	1'005'568 bytes
MD5 hash:	3A9DA3EDC40736CC832EDED3C389A661
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2193815642.0000000001397000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	21:51:57
Start date:	14/01/2025
Path:	C:\ProgramData\Remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Remcos\remcos.exe"
Imagebase:	0x7ff632ac0000
File size:	1'005'568 bytes
MD5 hash:	3A9DA3EDC40736CC832EDED3C389A661
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:51:58
Start date:	14/01/2025
Path:	C:\ProgramData\Remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Remcos\remcos.exe"
Imagebase:	0x850000
File size:	1'005'568 bytes
MD5 hash:	3A9DA3EDC40736CC832EDED3C389A661
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.2278960559.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:52:05
Start date:	14/01/2025
Path:	C:\ProgramData\Remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Remcos\remcos.exe"
Imagebase:	0xd60000
File size:	1'005'568 bytes
MD5 hash:	3A9DA3EDC40736CC832EDED3C389A661
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	21:52:06
Start date:	14/01/2025
Path:	C:\ProgramData\Remcos\remcos.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Remcos\remcos.exe"
Imagebase:	0x710000
File size:	1'005'568 bytes
MD5 hash:	3A9DA3EDC40736CC832EDED3C389A661
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2358460692.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Material Requirments.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Remcos\remcos.exe

C:\ProgramData\Remcos\remcos.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Material Requirments.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\remcos.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
Material Requirments.exe