Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order Drawing.exe

Overview

General Information

Sample name:Order Drawing.exe
(renamed file extension from pif to exe)
Original sample name:Order Drawing.pif
Analysis ID:1591546
MD5:3a9da3edc40736cc832eded3c389a661
SHA1:f32f61fb4458696dae4f15d82377163521e4f8b5
SHA256:f2418ca6e602c9470a8b6e32172432726e50b00d6e7a0ee5bd70d0172017d6c3
Infos:

Detection

Remcos, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores large binary data to the registry
Uses 32bit PE files
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Order Drawing.exe (PID: 4084 cmdline: "C:\Users\user\Desktop\Order Drawing.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)
    • Order Drawing.exe (PID: 6432 cmdline: "C:\Users\user\Desktop\Order Drawing.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)
      • remcos.exe (PID: 3908 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)
        • remcos.exe (PID: 5464 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)
      • WMIADAP.exe (PID: 3908 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)
  • remcos.exe (PID: 6808 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)
    • remcos.exe (PID: 1492 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)
    • remcos.exe (PID: 5840 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)
  • remcos.exe (PID: 5916 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)
    • remcos.exe (PID: 6452 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)
  • remcos.exe (PID: 2052 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)
    • remcos.exe (PID: 5576 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 3A9DA3EDC40736CC832EDED3C389A661)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["87.120.116.245:2400:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-24L73B", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.4576882925.00000000013E8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.2127574047.00000000040D9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      0000000C.00000002.2334188947.0000000000D37000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000003.00000002.2125985990.000000000116A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000E.00000002.2418028511.0000000000FA7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 31 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Order Drawing.exe, ProcessId: 6432, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-24L73B
            Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Order Drawing.exe, ProcessId: 6432, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-24L73B

            Stealing of Sensitive Information

            barindex
            Sigma detected: Remcos
            Source: Registry Key setAuthor: Joe Security: Data: Details: 66 57 27 95 79 E4 43 60 A3 C1 CC 09 A2 F2 B0 DC C9 0C 47 50 1A D8 96 5A E5 39 C8 E5 77 FA BB 03 2E 29 40 1B B4 6E C5 35 05 56 FF 36 06 0F 9B D4 CE 11 07 FB BA C6 2D C8 B6 8A 17 DB 53 B8 CE 8E EE 46 , EventID: 13, EventType: SetValue, Image: C:\ProgramData\Remcos\remcos.exe, ProcessId: 5464, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-24L73B\exepath

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-15T03:52:04.621826+010020365941Malware Command and Control Activity Detected192.168.2.64971287.120.116.2452400TCP
            2025-01-15T03:52:07.276937+010020365941Malware Command and Control Activity Detected192.168.2.64971687.120.116.2452400TCP
            2025-01-15T03:52:09.933454+010020365941Malware Command and Control Activity Detected192.168.2.64971987.120.116.2452400TCP
            2025-01-15T03:52:12.591489+010020365941Malware Command and Control Activity Detected192.168.2.64973087.120.116.2452400TCP
            2025-01-15T03:52:15.259743+010020365941Malware Command and Control Activity Detected192.168.2.64975187.120.116.2452400TCP
            2025-01-15T03:52:17.865612+010020365941Malware Command and Control Activity Detected192.168.2.64976987.120.116.2452400TCP
            2025-01-15T03:52:20.509590+010020365941Malware Command and Control Activity Detected192.168.2.64978887.120.116.2452400TCP
            2025-01-15T03:52:23.185289+010020365941Malware Command and Control Activity Detected192.168.2.64980787.120.116.2452400TCP
            2025-01-15T03:52:25.819711+010020365941Malware Command and Control Activity Detected192.168.2.64982487.120.116.2452400TCP
            2025-01-15T03:52:28.449209+010020365941Malware Command and Control Activity Detected192.168.2.64984487.120.116.2452400TCP
            2025-01-15T03:52:31.107542+010020365941Malware Command and Control Activity Detected192.168.2.64986087.120.116.2452400TCP
            2025-01-15T03:52:33.725550+010020365941Malware Command and Control Activity Detected192.168.2.64987887.120.116.2452400TCP
            2025-01-15T03:52:36.355943+010020365941Malware Command and Control Activity Detected192.168.2.64989287.120.116.2452400TCP
            2025-01-15T03:52:38.991383+010020365941Malware Command and Control Activity Detected192.168.2.64990887.120.116.2452400TCP
            2025-01-15T03:52:41.640594+010020365941Malware Command and Control Activity Detected192.168.2.64992387.120.116.2452400TCP
            2025-01-15T03:52:44.275865+010020365941Malware Command and Control Activity Detected192.168.2.64994487.120.116.2452400TCP
            2025-01-15T03:52:46.916957+010020365941Malware Command and Control Activity Detected192.168.2.64996087.120.116.2452400TCP
            2025-01-15T03:52:49.543468+010020365941Malware Command and Control Activity Detected192.168.2.64997687.120.116.2452400TCP
            2025-01-15T03:52:52.164880+010020365941Malware Command and Control Activity Detected192.168.2.64999387.120.116.2452400TCP
            2025-01-15T03:52:54.792057+010020365941Malware Command and Control Activity Detected192.168.2.65000487.120.116.2452400TCP
            2025-01-15T03:52:57.399239+010020365941Malware Command and Control Activity Detected192.168.2.65000887.120.116.2452400TCP
            2025-01-15T03:53:00.026488+010020365941Malware Command and Control Activity Detected192.168.2.65000987.120.116.2452400TCP
            2025-01-15T03:53:02.666994+010020365941Malware Command and Control Activity Detected192.168.2.65001087.120.116.2452400TCP
            2025-01-15T03:53:05.272535+010020365941Malware Command and Control Activity Detected192.168.2.65001187.120.116.2452400TCP
            2025-01-15T03:53:07.901999+010020365941Malware Command and Control Activity Detected192.168.2.65001287.120.116.2452400TCP
            2025-01-15T03:53:10.667114+010020365941Malware Command and Control Activity Detected192.168.2.65001387.120.116.2452400TCP
            2025-01-15T03:53:13.290530+010020365941Malware Command and Control Activity Detected192.168.2.65001487.120.116.2452400TCP
            2025-01-15T03:53:16.025531+010020365941Malware Command and Control Activity Detected192.168.2.65001587.120.116.2452400TCP
            2025-01-15T03:53:18.654842+010020365941Malware Command and Control Activity Detected192.168.2.65001787.120.116.2452400TCP
            2025-01-15T03:53:21.310575+010020365941Malware Command and Control Activity Detected192.168.2.65001887.120.116.2452400TCP
            2025-01-15T03:53:24.026035+010020365941Malware Command and Control Activity Detected192.168.2.65001987.120.116.2452400TCP
            2025-01-15T03:53:26.639649+010020365941Malware Command and Control Activity Detected192.168.2.65002087.120.116.2452400TCP
            2025-01-15T03:53:29.429905+010020365941Malware Command and Control Activity Detected192.168.2.65002287.120.116.2452400TCP
            2025-01-15T03:53:32.046934+010020365941Malware Command and Control Activity Detected192.168.2.65002387.120.116.2452400TCP
            2025-01-15T03:53:34.617455+010020365941Malware Command and Control Activity Detected192.168.2.65002487.120.116.2452400TCP
            2025-01-15T03:53:37.152143+010020365941Malware Command and Control Activity Detected192.168.2.65002587.120.116.2452400TCP
            2025-01-15T03:53:39.635619+010020365941Malware Command and Control Activity Detected192.168.2.65002687.120.116.2452400TCP
            2025-01-15T03:53:42.105080+010020365941Malware Command and Control Activity Detected192.168.2.65002787.120.116.2452400TCP
            2025-01-15T03:53:44.559002+010020365941Malware Command and Control Activity Detected192.168.2.65002887.120.116.2452400TCP
            2025-01-15T03:53:46.982082+010020365941Malware Command and Control Activity Detected192.168.2.65002987.120.116.2452400TCP
            2025-01-15T03:53:49.370483+010020365941Malware Command and Control Activity Detected192.168.2.65003087.120.116.2452400TCP
            2025-01-15T03:53:51.781420+010020365941Malware Command and Control Activity Detected192.168.2.65003187.120.116.2452400TCP
            2025-01-15T03:53:54.119693+010020365941Malware Command and Control Activity Detected192.168.2.65003287.120.116.2452400TCP
            2025-01-15T03:53:56.414225+010020365941Malware Command and Control Activity Detected192.168.2.65003387.120.116.2452400TCP
            2025-01-15T03:53:58.734421+010020365941Malware Command and Control Activity Detected192.168.2.65003487.120.116.2452400TCP
            2025-01-15T03:54:01.072076+010020365941Malware Command and Control Activity Detected192.168.2.65003587.120.116.2452400TCP
            2025-01-15T03:54:03.347669+010020365941Malware Command and Control Activity Detected192.168.2.65003687.120.116.2452400TCP
            2025-01-15T03:54:05.985373+010020365941Malware Command and Control Activity Detected192.168.2.65003787.120.116.2452400TCP
            2025-01-15T03:54:08.214670+010020365941Malware Command and Control Activity Detected192.168.2.65003887.120.116.2452400TCP
            2025-01-15T03:54:10.401862+010020365941Malware Command and Control Activity Detected192.168.2.65003987.120.116.2452400TCP
            2025-01-15T03:54:12.635517+010020365941Malware Command and Control Activity Detected192.168.2.65004087.120.116.2452400TCP
            2025-01-15T03:54:14.794990+010020365941Malware Command and Control Activity Detected192.168.2.65004187.120.116.2452400TCP
            2025-01-15T03:54:16.953465+010020365941Malware Command and Control Activity Detected192.168.2.65004287.120.116.2452400TCP
            2025-01-15T03:54:19.127044+010020365941Malware Command and Control Activity Detected192.168.2.65004387.120.116.2452400TCP
            2025-01-15T03:54:21.246733+010020365941Malware Command and Control Activity Detected192.168.2.65004487.120.116.2452400TCP
            2025-01-15T03:54:23.355981+010020365941Malware Command and Control Activity Detected192.168.2.65004587.120.116.2452400TCP
            2025-01-15T03:54:25.455162+010020365941Malware Command and Control Activity Detected192.168.2.65004687.120.116.2452400TCP
            2025-01-15T03:54:27.512718+010020365941Malware Command and Control Activity Detected192.168.2.65004787.120.116.2452400TCP
            2025-01-15T03:54:29.563773+010020365941Malware Command and Control Activity Detected192.168.2.65004887.120.116.2452400TCP
            2025-01-15T03:54:31.590137+010020365941Malware Command and Control Activity Detected192.168.2.65004987.120.116.2452400TCP
            2025-01-15T03:54:33.626385+010020365941Malware Command and Control Activity Detected192.168.2.65005087.120.116.2452400TCP
            2025-01-15T03:54:35.618968+010020365941Malware Command and Control Activity Detected192.168.2.65005187.120.116.2452400TCP
            2025-01-15T03:54:37.607783+010020365941Malware Command and Control Activity Detected192.168.2.65005287.120.116.2452400TCP
            2025-01-15T03:54:39.571156+010020365941Malware Command and Control Activity Detected192.168.2.65005387.120.116.2452400TCP
            2025-01-15T03:54:41.546819+010020365941Malware Command and Control Activity Detected192.168.2.65005487.120.116.2452400TCP
            2025-01-15T03:54:43.514335+010020365941Malware Command and Control Activity Detected192.168.2.65005587.120.116.2452400TCP
            2025-01-15T03:54:45.450274+010020365941Malware Command and Control Activity Detected192.168.2.65005687.120.116.2452400TCP
            2025-01-15T03:54:47.388118+010020365941Malware Command and Control Activity Detected192.168.2.65005787.120.116.2452400TCP
            2025-01-15T03:54:49.326076+010020365941Malware Command and Control Activity Detected192.168.2.65005887.120.116.2452400TCP
            2025-01-15T03:54:51.247416+010020365941Malware Command and Control Activity Detected192.168.2.65005987.120.116.2452400TCP
            2025-01-15T03:54:53.155519+010020365941Malware Command and Control Activity Detected192.168.2.65006087.120.116.2452400TCP
            2025-01-15T03:54:55.062336+010020365941Malware Command and Control Activity Detected192.168.2.65006187.120.116.2452400TCP
            2025-01-15T03:54:57.011473+010020365941Malware Command and Control Activity Detected192.168.2.65006287.120.116.2452400TCP
            2025-01-15T03:54:58.908122+010020365941Malware Command and Control Activity Detected192.168.2.65006487.120.116.2452400TCP
            2025-01-15T03:55:00.799650+010020365941Malware Command and Control Activity Detected192.168.2.65006587.120.116.2452400TCP
            2025-01-15T03:55:02.659829+010020365941Malware Command and Control Activity Detected192.168.2.65006687.120.116.2452400TCP
            2025-01-15T03:55:06.915609+010020365941Malware Command and Control Activity Detected192.168.2.65006787.120.116.2452400TCP
            2025-01-15T03:55:08.773635+010020365941Malware Command and Control Activity Detected192.168.2.65006887.120.116.2452400TCP
            2025-01-15T03:55:10.623543+010020365941Malware Command and Control Activity Detected192.168.2.65006987.120.116.2452400TCP
            2025-01-15T03:55:12.451874+010020365941Malware Command and Control Activity Detected192.168.2.65007087.120.116.2452400TCP
            2025-01-15T03:55:14.278998+010020365941Malware Command and Control Activity Detected192.168.2.65007187.120.116.2452400TCP
            2025-01-15T03:55:16.091815+010020365941Malware Command and Control Activity Detected192.168.2.65007287.120.116.2452400TCP
            2025-01-15T03:55:17.923995+010020365941Malware Command and Control Activity Detected192.168.2.65007387.120.116.2452400TCP
            2025-01-15T03:55:19.752076+010020365941Malware Command and Control Activity Detected192.168.2.65007487.120.116.2452400TCP
            2025-01-15T03:55:21.565936+010020365941Malware Command and Control Activity Detected192.168.2.65007587.120.116.2452400TCP
            2025-01-15T03:55:23.377942+010020365941Malware Command and Control Activity Detected192.168.2.65007687.120.116.2452400TCP
            2025-01-15T03:55:25.150772+010020365941Malware Command and Control Activity Detected192.168.2.65007787.120.116.2452400TCP
            2025-01-15T03:55:26.900548+010020365941Malware Command and Control Activity Detected192.168.2.65007887.120.116.2452400TCP
            2025-01-15T03:55:28.650328+010020365941Malware Command and Control Activity Detected192.168.2.65007987.120.116.2452400TCP
            2025-01-15T03:55:30.439932+010020365941Malware Command and Control Activity Detected192.168.2.65008087.120.116.2452400TCP
            2025-01-15T03:55:32.218938+010020365941Malware Command and Control Activity Detected192.168.2.65008187.120.116.2452400TCP
            2025-01-15T03:55:33.963133+010020365941Malware Command and Control Activity Detected192.168.2.65008287.120.116.2452400TCP
            2025-01-15T03:55:35.733580+010020365941Malware Command and Control Activity Detected192.168.2.65008387.120.116.2452400TCP
            2025-01-15T03:55:37.500070+010020365941Malware Command and Control Activity Detected192.168.2.65008487.120.116.2452400TCP
            2025-01-15T03:55:39.280091+010020365941Malware Command and Control Activity Detected192.168.2.65008587.120.116.2452400TCP
            2025-01-15T03:55:41.103972+010020365941Malware Command and Control Activity Detected192.168.2.65008687.120.116.2452400TCP
            2025-01-15T03:55:42.878679+010020365941Malware Command and Control Activity Detected192.168.2.65008787.120.116.2452400TCP
            2025-01-15T03:55:44.608497+010020365941Malware Command and Control Activity Detected192.168.2.65008887.120.116.2452400TCP
            2025-01-15T03:55:46.355985+010020365941Malware Command and Control Activity Detected192.168.2.65008987.120.116.2452400TCP
            2025-01-15T03:55:48.108490+010020365941Malware Command and Control Activity Detected192.168.2.65009087.120.116.2452400TCP
            2025-01-15T03:55:49.843749+010020365941Malware Command and Control Activity Detected192.168.2.65009187.120.116.2452400TCP
            2025-01-15T03:55:51.557415+010020365941Malware Command and Control Activity Detected192.168.2.65009287.120.116.2452400TCP
            2025-01-15T03:55:53.280261+010020365941Malware Command and Control Activity Detected192.168.2.65009387.120.116.2452400TCP
            2025-01-15T03:55:54.984081+010020365941Malware Command and Control Activity Detected192.168.2.65009487.120.116.2452400TCP
            2025-01-15T03:55:56.728142+010020365941Malware Command and Control Activity Detected192.168.2.65009587.120.116.2452400TCP
            2025-01-15T03:55:58.471338+010020365941Malware Command and Control Activity Detected192.168.2.65009687.120.116.2452400TCP
            2025-01-15T03:56:00.234766+010020365941Malware Command and Control Activity Detected192.168.2.65009787.120.116.2452400TCP
            2025-01-15T03:56:01.971692+010020365941Malware Command and Control Activity Detected192.168.2.65009887.120.116.2452400TCP
            2025-01-15T03:56:03.704158+010020365941Malware Command and Control Activity Detected192.168.2.65009987.120.116.2452400TCP
            2025-01-15T03:56:05.629334+010020365941Malware Command and Control Activity Detected192.168.2.65010087.120.116.2452400TCP
            2025-01-15T03:56:07.343262+010020365941Malware Command and Control Activity Detected192.168.2.65010187.120.116.2452400TCP
            2025-01-15T03:56:09.965505+010020365941Malware Command and Control Activity Detected192.168.2.65010287.120.116.2452400TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000005.00000002.4576882925.00000000013E8000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["87.120.116.245:2400:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-24L73B", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
            Multi AV Scanner detection for dropped file
            Source: C:\ProgramData\Remcos\remcos.exeReversingLabs: Detection: 68%
            Source: C:\ProgramData\Remcos\remcos.exeVirustotal: Detection: 77%Perma Link
            Multi AV Scanner detection for submitted file
            Source: Order Drawing.exeVirustotal: Detection: 77%Perma Link
            Source: Order Drawing.exeReversingLabs: Detection: 68%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000005.00000002.4576882925.00000000013E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.2334188947.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2125985990.000000000116A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2418028511.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2248582094.0000000001097000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127574047.0000000004C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Order Drawing.exe PID: 4084, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Order Drawing.exe PID: 6432, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 5464, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 5840, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 6452, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 5576, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\ProgramData\Remcos\remcos.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: Order Drawing.exeJoe Sandbox ML: detected
            Source: Order Drawing.exe, 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_6ba4f058-7

            Exploits

            barindex
            Yara detected UAC Bypass using CMSTP
            Source: Yara matchFile source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127574047.0000000004C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Order Drawing.exe PID: 4084, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Order Drawing.exe PID: 6432, type: MEMORYSTR
            Source: Order Drawing.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: Order Drawing.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49716 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49712 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49719 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49730 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49751 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49769 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49807 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49788 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49824 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49844 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49878 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49860 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49923 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49944 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49908 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49960 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49892 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49976 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49993 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50008 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50010 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50009 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50022 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50012 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50024 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50039 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50004 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50026 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50020 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50030 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50038 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50036 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50013 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50041 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50029 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50051 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50037 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50042 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50054 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50040 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50044 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50049 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50062 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50015 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50074 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50075 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50077 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50035 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50025 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50101 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50031 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50089 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50091 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50060 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50058 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50099 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50084 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50064 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50046 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50032 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50093 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50017 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50087 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50014 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50098 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50034 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50067 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50092 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50083 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50082 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50047 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50043 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50066 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50081 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50076 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50079 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50090 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50100 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50078 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50085 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50055 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50070 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50086 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50080 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50018 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50061 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50027 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50019 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50071 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50052 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50023 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50053 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50065 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50094 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50045 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50069 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50059 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50033 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50095 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50072 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50056 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50097 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50096 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50050 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50073 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50048 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50102 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50068 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50088 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50011 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50028 -> 87.120.116.245:2400
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50057 -> 87.120.116.245:2400
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorIPs: 87.120.116.245
            Source: global trafficTCP traffic: 192.168.2.6:49712 -> 87.120.116.245:2400
            Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
            Source: Order Drawing.exe, 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmp, Order Drawing.exe, 00000000.00000002.2127574047.0000000004C39000.00000004.00000800.00020000.00000000.sdmp, Order Drawing.exe, 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
            Source: Yara matchFile source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127574047.0000000004C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Order Drawing.exe PID: 4084, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Order Drawing.exe PID: 6432, type: MEMORYSTR

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000005.00000002.4576882925.00000000013E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.2334188947.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2125985990.000000000116A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2418028511.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2248582094.0000000001097000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127574047.0000000004C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Order Drawing.exe PID: 4084, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Order Drawing.exe PID: 6432, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 5464, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 5840, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 6452, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 5576, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000000.00000002.2127574047.0000000004C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: Order Drawing.exe PID: 4084, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: Order Drawing.exe PID: 6432, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Order Drawing.exe
            Source: C:\ProgramData\Remcos\remcos.exeProcess Stats: CPU usage > 49%
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\WmiApRpl.h
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\WmiApRpl.ini
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\0009\
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\PerfStringBackup.TMP
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.h
            Source: Order Drawing.exe, 00000000.00000002.2127574047.00000000040D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs Order Drawing.exe
            Source: Order Drawing.exe, 00000000.00000002.2124605370.000000000162E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Order Drawing.exe
            Source: Order Drawing.exe, 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs Order Drawing.exe
            Source: Order Drawing.exe, 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Order Drawing.exe
            Source: Order Drawing.exe, 00000000.00000002.2133931729.0000000007FC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Order Drawing.exe
            Source: Order Drawing.exe, 00000000.00000000.2110197145.0000000000E96000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebEab.exe@ vs Order Drawing.exe
            Source: Order Drawing.exe, 00000000.00000002.2132909890.0000000007510000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs Order Drawing.exe
            Source: Order Drawing.exeBinary or memory string: OriginalFilenamebEab.exe@ vs Order Drawing.exe
            Source: Order Drawing.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000000.00000002.2127574047.0000000004C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: Order Drawing.exe PID: 4084, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: Order Drawing.exe PID: 6432, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Order Drawing.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: remcos.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@19/14@0/1
            Source: C:\Users\user\Desktop\Order Drawing.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order Drawing.exe.logJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMutant created: NULL
            Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
            Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
            Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
            Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
            Source: C:\ProgramData\Remcos\remcos.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-24L73B
            Source: Order Drawing.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Order Drawing.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\Order Drawing.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Order Drawing.exeVirustotal: Detection: 77%
            Source: Order Drawing.exeReversingLabs: Detection: 68%
            Source: C:\Users\user\Desktop\Order Drawing.exeFile read: C:\Users\user\Desktop\Order Drawing.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Order Drawing.exe "C:\Users\user\Desktop\Order Drawing.exe"
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess created: C:\Users\user\Desktop\Order Drawing.exe "C:\Users\user\Desktop\Order Drawing.exe"
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
            Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
            Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
            Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
            Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
            Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
            Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
            Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
            Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess created: C:\Users\user\Desktop\Order Drawing.exe "C:\Users\user\Desktop\Order Drawing.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wldp.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: profapi.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: amsi.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: userenv.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: netutils.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wldp.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: profapi.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: amsi.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: userenv.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: netutils.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wldp.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: profapi.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: amsi.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: userenv.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: netutils.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wldp.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: profapi.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: amsi.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: userenv.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: winmm.dll
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: urlmon.dll
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wininet.dll
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: iertutil.dll
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: srvcli.dll
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: netutils.dll
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: iphlpapi.dll
            Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: loadperf.dll
            Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\Desktop\Order Drawing.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeFile written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\Order Drawing.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Order Drawing.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Order Drawing.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Order Drawing.exeStatic PE information: section name: .text entropy: 7.831221418025935
            Source: remcos.exe.3.drStatic PE information: section name: .text entropy: 7.831221418025935
            Source: C:\Users\user\Desktop\Order Drawing.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file
            Source: C:\Users\user\Desktop\Order Drawing.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file

            Boot Survival

            barindex
            Creates autostart registry keys with suspicious names
            Source: C:\Users\user\Desktop\Order Drawing.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-24L73BJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance
            Source: C:\Users\user\Desktop\Order Drawing.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-24L73BJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-24L73BJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-24L73BJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-24L73BJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance Performance Data
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: Order Drawing.exe PID: 4084, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3908, type: MEMORYSTR
            Source: C:\Users\user\Desktop\Order Drawing.exeMemory allocated: 15B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeMemory allocated: 30D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeMemory allocated: 50D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeMemory allocated: 8180000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeMemory allocated: 9180000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeMemory allocated: 9340000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeMemory allocated: A340000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 1480000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 30D0000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 2ED0000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 7B50000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 8B50000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 8CF0000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 9CF0000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 2A50000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 2D20000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 2A50000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 77F0000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 87F0000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 8990000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 9990000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 2D20000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 2D20000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 7B10000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 8B10000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 8CB0000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 9CB0000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: B30000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 2600000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 4600000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 7200000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 8200000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 83A0000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 93A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeWindow / User API: threadDelayed 6979Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeWindow / User API: threadDelayed 2966Jump to behavior
            Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1791
            Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 980
            Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1464
            Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1150
            Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 883
            Source: C:\Users\user\Desktop\Order Drawing.exe TID: 3792Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exe TID: 6468Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exe TID: 1612Thread sleep count: 6979 > 30Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exe TID: 1612Thread sleep time: -20937000s >= -30000sJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exe TID: 1612Thread sleep count: 2966 > 30Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exe TID: 1612Thread sleep time: -8898000s >= -30000sJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exe TID: 5268Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exe TID: 4876Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exe TID: 6432Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Order Drawing.exe, 00000003.00000002.2125985990.0000000001181000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: remcos.exe, 00000005.00000002.4576882925.0000000001401000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\ProgramData\Remcos\remcos.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\Order Drawing.exeMemory written: C:\Users\user\Desktop\Order Drawing.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory written: C:\ProgramData\Remcos\remcos.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory written: C:\ProgramData\Remcos\remcos.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMemory written: C:\ProgramData\Remcos\remcos.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess created: C:\Users\user\Desktop\Order Drawing.exe "C:\Users\user\Desktop\Order Drawing.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"Jump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeQueries volume information: C:\Users\user\Desktop\Order Drawing.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\ProgramData\Remcos\remcos.exe VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\ProgramData\Remcos\remcos.exe VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\ProgramData\Remcos\remcos.exe VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\ProgramData\Remcos\remcos.exe VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Order Drawing.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected PureLog Stealer
            Source: Yara matchFile source: 00000000.00000002.2127574047.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2132909890.0000000007510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000005.00000002.4576882925.00000000013E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.2334188947.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2125985990.000000000116A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2418028511.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2248582094.0000000001097000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127574047.0000000004C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Order Drawing.exe PID: 4084, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Order Drawing.exe PID: 6432, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 5464, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 5840, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 6452, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 5576, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Detected Remcos RAT
            Source: C:\Users\user\Desktop\Order Drawing.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-24L73BJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-24L73BJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-24L73BJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-24L73BJump to behavior
            Source: C:\ProgramData\Remcos\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-24L73B
            Yara detected PureLog Stealer
            Source: Yara matchFile source: 00000000.00000002.2127574047.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2132909890.0000000007510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000005.00000002.4576882925.00000000013E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.2334188947.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2125985990.000000000116A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2418028511.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2248582094.0000000001097000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127574047.0000000004C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Order Drawing.exe PID: 4084, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Order Drawing.exe PID: 6432, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 5464, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 5840, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 6452, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 5576, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            Windows Service            		1
            Windows Service            		11
            Masquerading            		OS Credential Dumping11
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job11
            Registry Run Keys / Startup Folder            		111
            Process Injection            		1
            Modify Registry            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Remote Access Software            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            DLL Side-Loading            		11
            Registry Run Keys / Startup Folder            		1
            Disable or Modify Tools            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
            Process Injection            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            File Deletion            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1591546 Sample: Order Drawing.pif Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 10 other signatures 2->53 8 Order Drawing.exe 3 2->8         started        12 remcos.exe 2 2->12         started        14 remcos.exe 2 2->14         started        16 remcos.exe 2 2->16         started        process3 file4 43 C:\Users\user\...\Order Drawing.exe.log, ASCII 8->43 dropped 61 Injects a PE file into a foreign processes 8->61 18 Order Drawing.exe 2 4 8->18         started        22 remcos.exe 12->22         started        24 remcos.exe 12->24         started        26 remcos.exe 14->26         started        28 remcos.exe 16->28         started        signatures5 process6 file7 39 C:\ProgramData\Remcos\remcos.exe, PE32 18->39 dropped 41 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 18->41 dropped 55 Detected Remcos RAT 18->55 57 Creates autostart registry keys with suspicious names 18->57 30 remcos.exe 3 18->30         started        33 WMIADAP.exe 18->33         started        signatures8 process9 signatures10 63 Multi AV Scanner detection for dropped file 30->63 65 Machine Learning detection for dropped file 30->65 67 Injects a PE file into a foreign processes 30->67 35 remcos.exe 4 1 30->35         started        process11 dnsIp12 45 87.120.116.245, 2400, 49712, 49716 UNACS-AS-BG8000BurgasBG Bulgaria 35->45 59 Detected Remcos RAT 35->59 signatures13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Order Drawing.exe78%VirustotalBrowse
            Order Drawing.exe68%ReversingLabsWin32.Trojan.Remcos
            Order Drawing.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\ProgramData\Remcos\remcos.exe100%Joe Sandbox ML
            C:\ProgramData\Remcos\remcos.exe68%ReversingLabsWin32.Trojan.Remcos
            C:\ProgramData\Remcos\remcos.exe78%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://geoplugin.net/json.gp/COrder Drawing.exe, 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmp, Order Drawing.exe, 00000000.00000002.2127574047.0000000004C39000.00000004.00000800.00020000.00000000.sdmp, Order Drawing.exe, 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              87.120.116.245
              		unknownBulgaria
              		25206UNACS-AS-BG8000BurgasBGtrue

              General Information

              Joe Sandbox version:42.0.0 Malachite
              Analysis ID:1591546
              Start date and time:2025-01-15 03:51:10 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 12s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:16
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:Order Drawing.exe
              (renamed file extension from pif to exe)
              Original Sample Name:Order Drawing.pif
              Detection:MAL
              Classification:mal100.troj.expl.evad.winEXE@19/14@0/1
              Cookbook Comments:
              • Override analysis time to 240000 for current running targets taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 184.28.90.27, 13.107.246.45, 172.202.163.200
              • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              03:52:03AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-24L73B "C:\ProgramData\Remcos\remcos.exe"
              03:52:12AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Rmc-24L73B "C:\ProgramData\Remcos\remcos.exe"
              03:52:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-24L73B "C:\ProgramData\Remcos\remcos.exe"
              21:51:59API Interceptor1x Sleep call for process: Order Drawing.exe modified
              21:52:01API Interceptor5246927x Sleep call for process: remcos.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              87.120.116.245Material requirements_1.pif.exeGet hashmaliciousRemcosBrowse

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                UNACS-AS-BG8000BurgasBGpreliminary drawing.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                • 87.120.127.120
                5tCuNr661k.exeGet hashmaliciousRedLineBrowse
                • 87.120.120.86
                5tCuNr661k.exeGet hashmaliciousRedLineBrowse
                • 87.120.120.86
                shaLnqmyTS.exeGet hashmaliciousRedLineBrowse
                • 87.120.120.86
                shaLnqmyTS.exeGet hashmaliciousRedLineBrowse
                • 87.120.120.86
                zAGUEDGSTM.exeGet hashmaliciousRedLineBrowse
                • 87.120.120.86
                WtZl31OLfA.exeGet hashmaliciousRemcos, GuLoaderBrowse
                • 87.120.116.187
                C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                • 87.120.120.86
                C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                • 87.120.120.86

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\ProgramData\Remcos\remcos.exe

                Download File
                Process:C:\Users\user\Desktop\Order Drawing.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):1005568
                Entropy (8bit):7.827484845541161
                Encrypted:false
                SSDEEP:24576:rbT8S0ck7b8crshYjBSbIBDESo13E/WFRHVJmSr39RrE:rf8S0cXcrsWtDfoFRVJvNRrE
                MD5:3A9DA3EDC40736CC832EDED3C389A661
                SHA1:F32F61FB4458696DAE4F15D82377163521E4F8B5
                SHA-256:F2418CA6E602C9470A8B6E32172432726E50B00D6E7A0EE5BD70D0172017D6C3
                SHA-512:A1E2EFE247E78CFB0AD62125C69C44200F6FC094085A570A0AD9A4FF3D0F2025EB9F0AACBE7CD7DCE46A18121C02D46FEC471A3353733A93EC49B6A81D243E95
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 68%
                • Antivirus: Virustotal, Detection: 78%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^&.g..............0..,...*.......K... ...`....@.. ....................................`.................................4K..O....`..|'........................................................................... ............... ..H............text....+... ...,.................. ..`.rsrc...|'...`...(..................@..@.reloc...............V..............@..B................hK......H........C...:......%...D~.................................................}......}.....(........}......o.....*..0............{........+..*..0............{........+..*..0..9.........(.........,.r...ps....z.{....o ...o!....o"...t.....+..*....0..9.........(.........,.r...ps....z.{....o#...o!....o"...t.....+..*....0..C.........($...u...........,...+(.o%...u.............,...+..o$...u.....+..*..0..+.........(......,.r+..ps....z..}.....(!....o&....*..0..8.........{.........,...+$.{

                C:\ProgramData\Remcos\remcos.exe:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\Order Drawing.exe
                File Type:ASCII text, with CRLF line terminators
                Category:modified
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:true
                Preview:[ZoneTransfer]....ZoneId=0

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order Drawing.exe.log

                Download File
                Process:C:\Users\user\Desktop\Order Drawing.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1216
                Entropy (8bit):5.34331486778365
                Encrypted:false
                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                Malicious:true
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\remcos.exe.log

                Download File
                Process:C:\ProgramData\Remcos\remcos.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1216
                Entropy (8bit):5.34331486778365
                Encrypted:false
                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                Malicious:false
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                C:\Windows\INF\WmiApRpl\WmiApRpl.h

                Download File
                Process:C:\Windows\System32\wbem\WMIADAP.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):3444
                Entropy (8bit):5.011954215267298
                Encrypted:false
                SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                MD5:B133A676D139032A27DE3D9619E70091
                SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                Malicious:false
                Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                C:\Windows\INF\WmiApRpl\WmiApRpl.ini

                Download File
                Process:C:\Windows\System32\wbem\WMIADAP.exe
                File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                Category:dropped
                Size (bytes):48786
                Entropy (8bit):3.5854495362228453
                Encrypted:false
                SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                Malicious:false
                Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                C:\Windows\System32\PerfStringBackup.INI

                Download File
                Process:C:\Windows\System32\wbem\WMIADAP.exe
                File Type:data
                Category:dropped
                Size (bytes):840878
                Entropy (8bit):3.4224066455051885
                Encrypted:false
                SSDEEP:3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
                MD5:D3ED23A3E63ACA8CF656C585568DA6D7
                SHA1:1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
                SHA-256:AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
                SHA-512:21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
                Malicious:false
                Preview:........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

                C:\Windows\System32\PerfStringBackup.TMP

                Download File
                Process:C:\Windows\System32\wbem\WMIADAP.exe
                File Type:data
                Category:dropped
                Size (bytes):840878
                Entropy (8bit):3.4224066455051885
                Encrypted:false
                SSDEEP:3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
                MD5:D3ED23A3E63ACA8CF656C585568DA6D7
                SHA1:1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
                SHA-256:AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
                SHA-512:21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
                Malicious:false
                Preview:........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

                C:\Windows\System32\perfc009.dat

                Download File
                Process:C:\Windows\System32\wbem\WMIADAP.exe
                File Type:data
                Category:dropped
                Size (bytes):137550
                Entropy (8bit):3.409189992022338
                Encrypted:false
                SSDEEP:1536:X1i4nfw8ld9+mRDaUR28oV7TYfXLi7NwrgSwNu56FRtg:XBnfw8ld9+mRDaUR28oV7TY+7S0ba
                MD5:084B771A167854C5B38E25D4E199B637
                SHA1:AE6D36D4EC5A9E515E8735525BD80C96AC0F8122
                SHA-256:B3CF0050FAF325C36535D665C24411F3877E3667904DFE9D8A1C802ED4BCD56D
                SHA-512:426C15923F54EC93F22D9523B5CB6D326F727A34F5FF2BDE63D1CB3AD97CAB7E5B2ABABBC6ED5082B5E3140E9342A4E6F354359357A3F9AEF285278CB38A5835
                Malicious:false
                Preview:1...1.8.4.7...2...S.y.s.t.e.m...4...M.e.m.o.r.y...6...%. .P.r.o.c.e.s.s.o.r. .T.i.m.e...1.0...F.i.l.e. .R.e.a.d. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.2...F.i.l.e. .W.r.i.t.e. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.4...F.i.l.e. .C.o.n.t.r.o.l. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.6...F.i.l.e. .R.e.a.d. .B.y.t.e.s./.s.e.c...1.8...F.i.l.e. .W.r.i.t.e. .B.y.t.e.s./.s.e.c...2.0...F.i.l.e. .C.o.n.t.r.o.l. .B.y.t.e.s./.s.e.c...2.4...A.v.a.i.l.a.b.l.e. .B.y.t.e.s...2.6...C.o.m.m.i.t.t.e.d. .B.y.t.e.s...2.8...P.a.g.e. .F.a.u.l.t.s./.s.e.c...3.0...C.o.m.m.i.t. .L.i.m.i.t...3.2...W.r.i.t.e. .C.o.p.i.e.s./.s.e.c...3.4...T.r.a.n.s.i.t.i.o.n. .F.a.u.l.t.s./.s.e.c...3.6...C.a.c.h.e. .F.a.u.l.t.s./.s.e.c...3.8...D.e.m.a.n.d. .Z.e.r.o. .F.a.u.l.t.s./.s.e.c...4.0...P.a.g.e.s./.s.e.c...4.2...P.a.g.e. .R.e.a.d.s./.s.e.c...4.4...P.r.o.c.e.s.s.o.r. .Q.u.e.u.e. .L.e.n.g.t.h...4.6...T.h.r.e.a.d. .S.t.a.t.e...4.8...P.a.g.e.s. .O.u.t.p.u.t./.s.e.c...5.0...P.a.g.e. .W.r.i.t.e.s./.s.e.c...5.2...B.r.o.w.s.e.r...5.4...A.n.n.o.u.

                C:\Windows\System32\perfh009.dat

                Download File
                Process:C:\Windows\System32\wbem\WMIADAP.exe
                File Type:data
                Category:dropped
                Size (bytes):715050
                Entropy (8bit):3.278818886805871
                Encrypted:false
                SSDEEP:3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHHx643/A5BK9YXdhPHlVziwC4ALWI1dnmRh:78M6d0w+WB6I
                MD5:342BC94F85E143BE85B5B997163A0BB3
                SHA1:8780CD88D169AE88C843E19239D9A32625F6A73E
                SHA-256:F7D40B4FADA44B2A5231780F99C3CE784BCF33866B59D5EB767EEA8E532AD2C4
                SHA-512:0A4ED9104CAFCE95E204B5505181816E7AA7941DED2694FF75EFABAAB821BF0F0FE5B32261ED213C710250B7845255F4E317D86A3A6D4C2C21F866207233C57E
                Malicious:false
                Preview:3...T.h.e. .S.y.s.t.e.m. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .a.p.p.l.y. .t.o. .m.o.r.e. .t.h.a.n. .o.n.e. .i.n.s.t.a.n.c.e. .o.f. .a. .c.o.m.p.o.n.e.n.t. .p.r.o.c.e.s.s.o.r.s. .o.n. .t.h.e. .c.o.m.p.u.t.e.r.....5...T.h.e. .M.e.m.o.r.y. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. . .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .d.e.s.c.r.i.b.e. .t.h.e. .b.e.h.a.v.i.o.r. .o.f. .p.h.y.s.i.c.a.l. .a.n.d. .v.i.r.t.u.a.l. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .P.h.y.s.i.c.a.l. .m.e.m.o.r.y. .i.s. .t.h.e. .a.m.o.u.n.t. .o.f. .r.a.n.d.o.m. .a.c.c.e.s.s. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .V.i.r.t.u.a.l. .m.e.m.o.r.y. .c.o.n.s.i.s.t.s. .o.f. .t.h.e. .s.p.a.c.e. .i.n. .p.h.y.s.i.c.a.l. .m.e.m.o.r.y. .a.n.d. .o.n. .d.i.s.k... . .M.a.n.y. .o.f. .t.h.e. .m.e.m.o.r.y. .c.o.u.n.t.e.r.s. .m.o.n.i.t.o.r. .p.a.g.i.n.g.,. .w.h.i.c.h. .i.s. .t.h.e. .m.o.v.e.m.e.n.t. .o.f. .p.a.g.e.s. .o.f. .c.o.d.e. .a.n.d. .d.a.t.a. .b.e.t.

                C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

                Download File
                Process:C:\Windows\System32\wbem\WMIADAP.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):3444
                Entropy (8bit):5.011954215267298
                Encrypted:false
                SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                MD5:B133A676D139032A27DE3D9619E70091
                SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                Malicious:false
                Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

                Download File
                Process:C:\Windows\System32\wbem\WMIADAP.exe
                File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                Category:dropped
                Size (bytes):48786
                Entropy (8bit):3.5854495362228453
                Encrypted:false
                SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                Malicious:false
                Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

                Download File
                Process:C:\Windows\System32\wbem\WMIADAP.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):3444
                Entropy (8bit):5.011954215267298
                Encrypted:false
                SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                MD5:B133A676D139032A27DE3D9619E70091
                SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                Malicious:false
                Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                C:\Windows\system32\wbem\Performance\WmiApRpl.ini (copy)

                Download File
                Process:C:\Windows\System32\wbem\WMIADAP.exe
                File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                Category:dropped
                Size (bytes):48786
                Entropy (8bit):3.5854495362228453
                Encrypted:false
                SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                Malicious:false
                Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):7.827484845541161
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                • Win32 Executable (generic) a (10002005/4) 49.78%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Generic Win/DOS Executable (2004/3) 0.01%
                • DOS Executable Generic (2002/1) 0.01%
                File name:Order Drawing.exe
                File size:1'005'568 bytes
                MD5:3a9da3edc40736cc832eded3c389a661
                SHA1:f32f61fb4458696dae4f15d82377163521e4f8b5
                SHA256:f2418ca6e602c9470a8b6e32172432726e50b00d6e7a0ee5bd70d0172017d6c3
                SHA512:a1e2efe247e78cfb0ad62125c69c44200f6fc094085a570a0ad9a4ff3d0f2025eb9f0aacbe7cd7dce46a18121c02d46fec471a3353733a93ec49b6a81d243e95
                SSDEEP:24576:rbT8S0ck7b8crshYjBSbIBDESo13E/WFRHVJmSr39RrE:rf8S0cXcrsWtDfoFRVJvNRrE
                TLSH:252512592749ED06C8D20BB098B0E3F826705FD9EA51C3039AFDBEFB7C265967418394
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^&.g..............0..,...*.......K... ...`....@.. ....................................`................................

                File Icon

                Icon Hash:33362c2d36335470

                Static PE Info

                General

                Entrypoint:0x4f4b86
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x677F265E [Thu Jan 9 01:29:02 2025 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xf4b340x4f.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xf60000x277c.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0xfa0000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000xf2b8c0xf2c000a8b8c4bd722d339244aaee111723f05False0.935753049369207data7.831221418025935IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0xf60000x277c0x28004e9b0506103b0eab1b88df4722769ed0False0.87890625data7.595806949277348IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0xfa0000xc0x200f7cd7afbc98af4aee0e8ddfc076da2a5False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_ICON0xf60c80x2356PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9427371213796153
                RT_GROUP_ICON0xf84300x14data1.05
                RT_VERSION0xf84540x324data0.43283582089552236

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2025-01-15T03:52:04.621826+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64971287.120.116.2452400TCP
                2025-01-15T03:52:07.276937+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64971687.120.116.2452400TCP
                2025-01-15T03:52:09.933454+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64971987.120.116.2452400TCP
                2025-01-15T03:52:12.591489+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64973087.120.116.2452400TCP
                2025-01-15T03:52:15.259743+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64975187.120.116.2452400TCP
                2025-01-15T03:52:17.865612+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64976987.120.116.2452400TCP
                2025-01-15T03:52:20.509590+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64978887.120.116.2452400TCP
                2025-01-15T03:52:23.185289+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64980787.120.116.2452400TCP
                2025-01-15T03:52:25.819711+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64982487.120.116.2452400TCP
                2025-01-15T03:52:28.449209+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64984487.120.116.2452400TCP
                2025-01-15T03:52:31.107542+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64986087.120.116.2452400TCP
                2025-01-15T03:52:33.725550+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64987887.120.116.2452400TCP
                2025-01-15T03:52:36.355943+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64989287.120.116.2452400TCP
                2025-01-15T03:52:38.991383+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64990887.120.116.2452400TCP
                2025-01-15T03:52:41.640594+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64992387.120.116.2452400TCP
                2025-01-15T03:52:44.275865+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64994487.120.116.2452400TCP
                2025-01-15T03:52:46.916957+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64996087.120.116.2452400TCP
                2025-01-15T03:52:49.543468+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64997687.120.116.2452400TCP
                2025-01-15T03:52:52.164880+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64999387.120.116.2452400TCP
                2025-01-15T03:52:54.792057+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65000487.120.116.2452400TCP
                2025-01-15T03:52:57.399239+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65000887.120.116.2452400TCP
                2025-01-15T03:53:00.026488+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65000987.120.116.2452400TCP
                2025-01-15T03:53:02.666994+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65001087.120.116.2452400TCP
                2025-01-15T03:53:05.272535+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65001187.120.116.2452400TCP
                2025-01-15T03:53:07.901999+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65001287.120.116.2452400TCP
                2025-01-15T03:53:10.667114+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65001387.120.116.2452400TCP
                2025-01-15T03:53:13.290530+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65001487.120.116.2452400TCP
                2025-01-15T03:53:16.025531+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65001587.120.116.2452400TCP
                2025-01-15T03:53:18.654842+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65001787.120.116.2452400TCP
                2025-01-15T03:53:21.310575+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65001887.120.116.2452400TCP
                2025-01-15T03:53:24.026035+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65001987.120.116.2452400TCP
                2025-01-15T03:53:26.639649+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65002087.120.116.2452400TCP
                2025-01-15T03:53:29.429905+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65002287.120.116.2452400TCP
                2025-01-15T03:53:32.046934+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65002387.120.116.2452400TCP
                2025-01-15T03:53:34.617455+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65002487.120.116.2452400TCP
                2025-01-15T03:53:37.152143+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65002587.120.116.2452400TCP
                2025-01-15T03:53:39.635619+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65002687.120.116.2452400TCP
                2025-01-15T03:53:42.105080+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65002787.120.116.2452400TCP
                2025-01-15T03:53:44.559002+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65002887.120.116.2452400TCP
                2025-01-15T03:53:46.982082+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65002987.120.116.2452400TCP
                2025-01-15T03:53:49.370483+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65003087.120.116.2452400TCP
                2025-01-15T03:53:51.781420+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65003187.120.116.2452400TCP
                2025-01-15T03:53:54.119693+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65003287.120.116.2452400TCP
                2025-01-15T03:53:56.414225+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65003387.120.116.2452400TCP
                2025-01-15T03:53:58.734421+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65003487.120.116.2452400TCP
                2025-01-15T03:54:01.072076+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65003587.120.116.2452400TCP
                2025-01-15T03:54:03.347669+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65003687.120.116.2452400TCP
                2025-01-15T03:54:05.985373+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65003787.120.116.2452400TCP
                2025-01-15T03:54:08.214670+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65003887.120.116.2452400TCP
                2025-01-15T03:54:10.401862+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65003987.120.116.2452400TCP
                2025-01-15T03:54:12.635517+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65004087.120.116.2452400TCP
                2025-01-15T03:54:14.794990+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65004187.120.116.2452400TCP
                2025-01-15T03:54:16.953465+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65004287.120.116.2452400TCP
                2025-01-15T03:54:19.127044+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65004387.120.116.2452400TCP
                2025-01-15T03:54:21.246733+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65004487.120.116.2452400TCP
                2025-01-15T03:54:23.355981+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65004587.120.116.2452400TCP
                2025-01-15T03:54:25.455162+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65004687.120.116.2452400TCP
                2025-01-15T03:54:27.512718+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65004787.120.116.2452400TCP
                2025-01-15T03:54:29.563773+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65004887.120.116.2452400TCP
                2025-01-15T03:54:31.590137+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65004987.120.116.2452400TCP
                2025-01-15T03:54:33.626385+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65005087.120.116.2452400TCP
                2025-01-15T03:54:35.618968+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65005187.120.116.2452400TCP
                2025-01-15T03:54:37.607783+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65005287.120.116.2452400TCP
                2025-01-15T03:54:39.571156+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65005387.120.116.2452400TCP
                2025-01-15T03:54:41.546819+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65005487.120.116.2452400TCP
                2025-01-15T03:54:43.514335+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65005587.120.116.2452400TCP
                2025-01-15T03:54:45.450274+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65005687.120.116.2452400TCP
                2025-01-15T03:54:47.388118+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65005787.120.116.2452400TCP
                2025-01-15T03:54:49.326076+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65005887.120.116.2452400TCP
                2025-01-15T03:54:51.247416+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65005987.120.116.2452400TCP
                2025-01-15T03:54:53.155519+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65006087.120.116.2452400TCP
                2025-01-15T03:54:55.062336+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65006187.120.116.2452400TCP
                2025-01-15T03:54:57.011473+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65006287.120.116.2452400TCP
                2025-01-15T03:54:58.908122+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65006487.120.116.2452400TCP
                2025-01-15T03:55:00.799650+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65006587.120.116.2452400TCP
                2025-01-15T03:55:02.659829+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65006687.120.116.2452400TCP
                2025-01-15T03:55:06.915609+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65006787.120.116.2452400TCP
                2025-01-15T03:55:08.773635+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65006887.120.116.2452400TCP
                2025-01-15T03:55:10.623543+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65006987.120.116.2452400TCP
                2025-01-15T03:55:12.451874+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65007087.120.116.2452400TCP
                2025-01-15T03:55:14.278998+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65007187.120.116.2452400TCP
                2025-01-15T03:55:16.091815+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65007287.120.116.2452400TCP
                2025-01-15T03:55:17.923995+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65007387.120.116.2452400TCP
                2025-01-15T03:55:19.752076+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65007487.120.116.2452400TCP
                2025-01-15T03:55:21.565936+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65007587.120.116.2452400TCP
                2025-01-15T03:55:23.377942+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65007687.120.116.2452400TCP
                2025-01-15T03:55:25.150772+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65007787.120.116.2452400TCP
                2025-01-15T03:55:26.900548+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65007887.120.116.2452400TCP
                2025-01-15T03:55:28.650328+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65007987.120.116.2452400TCP
                2025-01-15T03:55:30.439932+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65008087.120.116.2452400TCP
                2025-01-15T03:55:32.218938+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65008187.120.116.2452400TCP
                2025-01-15T03:55:33.963133+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65008287.120.116.2452400TCP
                2025-01-15T03:55:35.733580+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65008387.120.116.2452400TCP
                2025-01-15T03:55:37.500070+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65008487.120.116.2452400TCP
                2025-01-15T03:55:39.280091+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65008587.120.116.2452400TCP
                2025-01-15T03:55:41.103972+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65008687.120.116.2452400TCP
                2025-01-15T03:55:42.878679+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65008787.120.116.2452400TCP
                2025-01-15T03:55:44.608497+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65008887.120.116.2452400TCP
                2025-01-15T03:55:46.355985+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65008987.120.116.2452400TCP
                2025-01-15T03:55:48.108490+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65009087.120.116.2452400TCP
                2025-01-15T03:55:49.843749+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65009187.120.116.2452400TCP
                2025-01-15T03:55:51.557415+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65009287.120.116.2452400TCP
                2025-01-15T03:55:53.280261+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65009387.120.116.2452400TCP
                2025-01-15T03:55:54.984081+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65009487.120.116.2452400TCP
                2025-01-15T03:55:56.728142+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65009587.120.116.2452400TCP
                2025-01-15T03:55:58.471338+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65009687.120.116.2452400TCP
                2025-01-15T03:56:00.234766+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65009787.120.116.2452400TCP
                2025-01-15T03:56:01.971692+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65009887.120.116.2452400TCP
                2025-01-15T03:56:03.704158+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65009987.120.116.2452400TCP
                2025-01-15T03:56:05.629334+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65010087.120.116.2452400TCP
                2025-01-15T03:56:07.343262+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65010187.120.116.2452400TCP
                2025-01-15T03:56:09.965505+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.65010287.120.116.2452400TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jan 15, 2025 03:52:02.978421926 CET497122400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:02.983285904 CET24004971287.120.116.245192.168.2.6
                Jan 15, 2025 03:52:02.983407021 CET497122400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:02.989250898 CET497122400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:02.994033098 CET24004971287.120.116.245192.168.2.6
                Jan 15, 2025 03:52:04.618639946 CET24004971287.120.116.245192.168.2.6
                Jan 15, 2025 03:52:04.621825933 CET497122400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:04.621912956 CET497122400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:04.626684904 CET24004971287.120.116.245192.168.2.6
                Jan 15, 2025 03:52:05.636647940 CET497162400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:05.641565084 CET24004971687.120.116.245192.168.2.6
                Jan 15, 2025 03:52:05.641661882 CET497162400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:05.645498037 CET497162400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:05.650320053 CET24004971687.120.116.245192.168.2.6
                Jan 15, 2025 03:52:07.276669025 CET24004971687.120.116.245192.168.2.6
                Jan 15, 2025 03:52:07.276937008 CET497162400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:07.279249907 CET497162400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:07.284006119 CET24004971687.120.116.245192.168.2.6
                Jan 15, 2025 03:52:08.294406891 CET497192400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:08.299282074 CET24004971987.120.116.245192.168.2.6
                Jan 15, 2025 03:52:08.299741030 CET497192400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:08.306720018 CET497192400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:08.311674118 CET24004971987.120.116.245192.168.2.6
                Jan 15, 2025 03:52:09.932882071 CET24004971987.120.116.245192.168.2.6
                Jan 15, 2025 03:52:09.933454037 CET497192400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:09.936491013 CET497192400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:09.941337109 CET24004971987.120.116.245192.168.2.6
                Jan 15, 2025 03:52:10.949480057 CET497302400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:10.954396963 CET24004973087.120.116.245192.168.2.6
                Jan 15, 2025 03:52:10.954560041 CET497302400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:10.958491087 CET497302400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:10.963367939 CET24004973087.120.116.245192.168.2.6
                Jan 15, 2025 03:52:12.591417074 CET24004973087.120.116.245192.168.2.6
                Jan 15, 2025 03:52:12.591489077 CET497302400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:12.591552973 CET497302400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:12.597291946 CET24004973087.120.116.245192.168.2.6
                Jan 15, 2025 03:52:13.626962900 CET497512400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:13.631803036 CET24004975187.120.116.245192.168.2.6
                Jan 15, 2025 03:52:13.631896973 CET497512400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:13.635905981 CET497512400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:13.640732050 CET24004975187.120.116.245192.168.2.6
                Jan 15, 2025 03:52:15.259685040 CET24004975187.120.116.245192.168.2.6
                Jan 15, 2025 03:52:15.259742975 CET497512400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:15.259839058 CET497512400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:15.264619112 CET24004975187.120.116.245192.168.2.6
                Jan 15, 2025 03:52:16.261625051 CET497692400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:16.266618967 CET24004976987.120.116.245192.168.2.6
                Jan 15, 2025 03:52:16.266701937 CET497692400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:16.271123886 CET497692400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:16.275999069 CET24004976987.120.116.245192.168.2.6
                Jan 15, 2025 03:52:17.865540028 CET24004976987.120.116.245192.168.2.6
                Jan 15, 2025 03:52:17.865612030 CET497692400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:17.865695953 CET497692400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:17.870500088 CET24004976987.120.116.245192.168.2.6
                Jan 15, 2025 03:52:18.888117075 CET497882400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:18.892997026 CET24004978887.120.116.245192.168.2.6
                Jan 15, 2025 03:52:18.893106937 CET497882400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:18.927238941 CET497882400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:18.932008028 CET24004978887.120.116.245192.168.2.6
                Jan 15, 2025 03:52:20.509500027 CET24004978887.120.116.245192.168.2.6
                Jan 15, 2025 03:52:20.509589911 CET497882400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:20.509744883 CET497882400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:20.514609098 CET24004978887.120.116.245192.168.2.6
                Jan 15, 2025 03:52:21.535116911 CET498072400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:21.539958954 CET24004980787.120.116.245192.168.2.6
                Jan 15, 2025 03:52:21.542047024 CET498072400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:21.604512930 CET498072400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:21.609353065 CET24004980787.120.116.245192.168.2.6
                Jan 15, 2025 03:52:23.185029984 CET24004980787.120.116.245192.168.2.6
                Jan 15, 2025 03:52:23.185288906 CET498072400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:23.185288906 CET498072400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:23.190171003 CET24004980787.120.116.245192.168.2.6
                Jan 15, 2025 03:52:24.224265099 CET498242400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:24.229121923 CET24004982487.120.116.245192.168.2.6
                Jan 15, 2025 03:52:24.229243040 CET498242400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:24.250636101 CET498242400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:24.255577087 CET24004982487.120.116.245192.168.2.6
                Jan 15, 2025 03:52:25.819499969 CET24004982487.120.116.245192.168.2.6
                Jan 15, 2025 03:52:25.819710970 CET498242400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:25.819710970 CET498242400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:25.824496031 CET24004982487.120.116.245192.168.2.6
                Jan 15, 2025 03:52:26.824440002 CET498442400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:26.829864979 CET24004984487.120.116.245192.168.2.6
                Jan 15, 2025 03:52:26.829936981 CET498442400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:26.834953070 CET498442400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:26.840895891 CET24004984487.120.116.245192.168.2.6
                Jan 15, 2025 03:52:28.449078083 CET24004984487.120.116.245192.168.2.6
                Jan 15, 2025 03:52:28.449208975 CET498442400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:28.449208975 CET498442400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:28.454051018 CET24004984487.120.116.245192.168.2.6
                Jan 15, 2025 03:52:29.464864016 CET498602400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:29.469816923 CET24004986087.120.116.245192.168.2.6
                Jan 15, 2025 03:52:29.469923019 CET498602400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:29.474042892 CET498602400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:29.478811026 CET24004986087.120.116.245192.168.2.6
                Jan 15, 2025 03:52:31.107399940 CET24004986087.120.116.245192.168.2.6
                Jan 15, 2025 03:52:31.107542038 CET498602400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:31.107656956 CET498602400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:31.113122940 CET24004986087.120.116.245192.168.2.6
                Jan 15, 2025 03:52:32.121323109 CET498782400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:32.126256943 CET24004987887.120.116.245192.168.2.6
                Jan 15, 2025 03:52:32.126487970 CET498782400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:32.130717039 CET498782400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:32.135530949 CET24004987887.120.116.245192.168.2.6
                Jan 15, 2025 03:52:33.725478888 CET24004987887.120.116.245192.168.2.6
                Jan 15, 2025 03:52:33.725549936 CET498782400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:33.725622892 CET498782400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:33.730526924 CET24004987887.120.116.245192.168.2.6
                Jan 15, 2025 03:52:34.730310917 CET498922400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:34.735109091 CET24004989287.120.116.245192.168.2.6
                Jan 15, 2025 03:52:34.735179901 CET498922400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:34.738713026 CET498922400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:34.743534088 CET24004989287.120.116.245192.168.2.6
                Jan 15, 2025 03:52:36.355532885 CET24004989287.120.116.245192.168.2.6
                Jan 15, 2025 03:52:36.355942965 CET498922400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:36.356009007 CET498922400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:36.360825062 CET24004989287.120.116.245192.168.2.6
                Jan 15, 2025 03:52:37.371963978 CET499082400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:37.376992941 CET24004990887.120.116.245192.168.2.6
                Jan 15, 2025 03:52:37.377470016 CET499082400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:37.409121990 CET499082400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:37.413935900 CET24004990887.120.116.245192.168.2.6
                Jan 15, 2025 03:52:38.990545988 CET24004990887.120.116.245192.168.2.6
                Jan 15, 2025 03:52:38.991383076 CET499082400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:38.991470098 CET499082400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:38.996265888 CET24004990887.120.116.245192.168.2.6
                Jan 15, 2025 03:52:39.995984077 CET499232400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:40.000845909 CET24004992387.120.116.245192.168.2.6
                Jan 15, 2025 03:52:40.000931978 CET499232400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:40.006294966 CET499232400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:40.011147976 CET24004992387.120.116.245192.168.2.6
                Jan 15, 2025 03:52:41.640528917 CET24004992387.120.116.245192.168.2.6
                Jan 15, 2025 03:52:41.640594006 CET499232400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:41.640680075 CET499232400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:41.645706892 CET24004992387.120.116.245192.168.2.6
                Jan 15, 2025 03:52:42.652134895 CET499442400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:42.657097101 CET24004994487.120.116.245192.168.2.6
                Jan 15, 2025 03:52:42.657196999 CET499442400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:42.660850048 CET499442400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:42.665757895 CET24004994487.120.116.245192.168.2.6
                Jan 15, 2025 03:52:44.275624990 CET24004994487.120.116.245192.168.2.6
                Jan 15, 2025 03:52:44.275865078 CET499442400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:44.275913954 CET499442400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:44.280724049 CET24004994487.120.116.245192.168.2.6
                Jan 15, 2025 03:52:45.277390957 CET499602400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:45.290734053 CET24004996087.120.116.245192.168.2.6
                Jan 15, 2025 03:52:45.290890932 CET499602400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:45.296243906 CET499602400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:45.301104069 CET24004996087.120.116.245192.168.2.6
                Jan 15, 2025 03:52:46.916856050 CET24004996087.120.116.245192.168.2.6
                Jan 15, 2025 03:52:46.916956902 CET499602400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:46.917006969 CET499602400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:46.921953917 CET24004996087.120.116.245192.168.2.6
                Jan 15, 2025 03:52:47.917963028 CET499762400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:47.922872066 CET24004997687.120.116.245192.168.2.6
                Jan 15, 2025 03:52:47.922986031 CET499762400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:47.926626921 CET499762400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:47.931457996 CET24004997687.120.116.245192.168.2.6
                Jan 15, 2025 03:52:49.539668083 CET24004997687.120.116.245192.168.2.6
                Jan 15, 2025 03:52:49.543467999 CET499762400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:49.543519974 CET499762400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:49.548408031 CET24004997687.120.116.245192.168.2.6
                Jan 15, 2025 03:52:50.558542013 CET499932400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:50.563668013 CET24004999387.120.116.245192.168.2.6
                Jan 15, 2025 03:52:50.563827991 CET499932400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:50.567085028 CET499932400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:50.571990967 CET24004999387.120.116.245192.168.2.6
                Jan 15, 2025 03:52:52.164798021 CET24004999387.120.116.245192.168.2.6
                Jan 15, 2025 03:52:52.164880037 CET499932400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:52.167066097 CET499932400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:52.172002077 CET24004999387.120.116.245192.168.2.6
                Jan 15, 2025 03:52:53.168240070 CET500042400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:53.173202038 CET24005000487.120.116.245192.168.2.6
                Jan 15, 2025 03:52:53.173289061 CET500042400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:53.179851055 CET500042400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:53.184755087 CET24005000487.120.116.245192.168.2.6
                Jan 15, 2025 03:52:54.791961908 CET24005000487.120.116.245192.168.2.6
                Jan 15, 2025 03:52:54.792057037 CET500042400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:54.792107105 CET500042400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:54.796957970 CET24005000487.120.116.245192.168.2.6
                Jan 15, 2025 03:52:55.792962074 CET500082400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:55.798172951 CET24005000887.120.116.245192.168.2.6
                Jan 15, 2025 03:52:55.798238993 CET500082400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:55.801907063 CET500082400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:55.806953907 CET24005000887.120.116.245192.168.2.6
                Jan 15, 2025 03:52:57.398926973 CET24005000887.120.116.245192.168.2.6
                Jan 15, 2025 03:52:57.399239063 CET500082400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:57.399240017 CET500082400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:57.404094934 CET24005000887.120.116.245192.168.2.6
                Jan 15, 2025 03:52:58.404797077 CET500092400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:58.410165071 CET24005000987.120.116.245192.168.2.6
                Jan 15, 2025 03:52:58.410262108 CET500092400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:58.424817085 CET500092400192.168.2.687.120.116.245
                Jan 15, 2025 03:52:58.429689884 CET24005000987.120.116.245192.168.2.6
                Jan 15, 2025 03:53:00.026046038 CET24005000987.120.116.245192.168.2.6
                Jan 15, 2025 03:53:00.026488066 CET500092400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:00.026489019 CET500092400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:00.031441927 CET24005000987.120.116.245192.168.2.6
                Jan 15, 2025 03:53:01.049073935 CET500102400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:01.054197073 CET24005001087.120.116.245192.168.2.6
                Jan 15, 2025 03:53:01.054297924 CET500102400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:01.115165949 CET500102400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:01.120225906 CET24005001087.120.116.245192.168.2.6
                Jan 15, 2025 03:53:02.666785002 CET24005001087.120.116.245192.168.2.6
                Jan 15, 2025 03:53:02.666994095 CET500102400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:02.667058945 CET500102400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:02.671952009 CET24005001087.120.116.245192.168.2.6
                Jan 15, 2025 03:53:03.667885065 CET500112400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:03.672842979 CET24005001187.120.116.245192.168.2.6
                Jan 15, 2025 03:53:03.674155951 CET500112400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:03.678220034 CET500112400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:03.683022022 CET24005001187.120.116.245192.168.2.6
                Jan 15, 2025 03:53:05.272393942 CET24005001187.120.116.245192.168.2.6
                Jan 15, 2025 03:53:05.272535086 CET500112400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:05.272610903 CET500112400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:05.277451038 CET24005001187.120.116.245192.168.2.6
                Jan 15, 2025 03:53:06.277385950 CET500122400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:06.282383919 CET24005001287.120.116.245192.168.2.6
                Jan 15, 2025 03:53:06.282478094 CET500122400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:06.285671949 CET500122400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:06.290435076 CET24005001287.120.116.245192.168.2.6
                Jan 15, 2025 03:53:07.901401997 CET24005001287.120.116.245192.168.2.6
                Jan 15, 2025 03:53:07.901998997 CET500122400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:07.902060986 CET500122400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:07.907021046 CET24005001287.120.116.245192.168.2.6
                Jan 15, 2025 03:53:08.919822931 CET500132400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:08.924865007 CET24005001387.120.116.245192.168.2.6
                Jan 15, 2025 03:53:08.924927950 CET500132400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:08.929352999 CET500132400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:08.934393883 CET24005001387.120.116.245192.168.2.6
                Jan 15, 2025 03:53:10.667032003 CET24005001387.120.116.245192.168.2.6
                Jan 15, 2025 03:53:10.667114019 CET500132400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:10.667159081 CET500132400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:10.672019005 CET24005001387.120.116.245192.168.2.6
                Jan 15, 2025 03:53:11.667851925 CET500142400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:11.672933102 CET24005001487.120.116.245192.168.2.6
                Jan 15, 2025 03:53:11.675589085 CET500142400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:11.684227943 CET500142400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:11.689086914 CET24005001487.120.116.245192.168.2.6
                Jan 15, 2025 03:53:13.290189028 CET24005001487.120.116.245192.168.2.6
                Jan 15, 2025 03:53:13.290529966 CET500142400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:13.290585041 CET500142400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:13.295422077 CET24005001487.120.116.245192.168.2.6
                Jan 15, 2025 03:53:14.292927027 CET500152400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:14.420785904 CET24005001587.120.116.245192.168.2.6
                Jan 15, 2025 03:53:14.420923948 CET500152400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:14.423645020 CET500152400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:14.428503036 CET24005001587.120.116.245192.168.2.6
                Jan 15, 2025 03:53:16.024184942 CET24005001587.120.116.245192.168.2.6
                Jan 15, 2025 03:53:16.025531054 CET500152400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:16.025578022 CET500152400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:16.030441999 CET24005001587.120.116.245192.168.2.6
                Jan 15, 2025 03:53:17.027704954 CET500172400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:17.032960892 CET24005001787.120.116.245192.168.2.6
                Jan 15, 2025 03:53:17.033039093 CET500172400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:17.038358927 CET500172400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:17.043358088 CET24005001787.120.116.245192.168.2.6
                Jan 15, 2025 03:53:18.654757023 CET24005001787.120.116.245192.168.2.6
                Jan 15, 2025 03:53:18.654841900 CET500172400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:18.654895067 CET500172400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:18.659668922 CET24005001787.120.116.245192.168.2.6
                Jan 15, 2025 03:53:19.667968035 CET500182400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:19.672908068 CET24005001887.120.116.245192.168.2.6
                Jan 15, 2025 03:53:19.675540924 CET500182400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:19.679740906 CET500182400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:19.684536934 CET24005001887.120.116.245192.168.2.6
                Jan 15, 2025 03:53:21.308309078 CET24005001887.120.116.245192.168.2.6
                Jan 15, 2025 03:53:21.310575008 CET500182400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:21.310663939 CET500182400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:21.315442085 CET24005001887.120.116.245192.168.2.6
                Jan 15, 2025 03:53:22.324068069 CET500192400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:22.329056025 CET24005001987.120.116.245192.168.2.6
                Jan 15, 2025 03:53:22.329118967 CET500192400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:22.332175970 CET500192400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:22.337521076 CET24005001987.120.116.245192.168.2.6
                Jan 15, 2025 03:53:24.025899887 CET24005001987.120.116.245192.168.2.6
                Jan 15, 2025 03:53:24.026035070 CET500192400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:24.026185989 CET500192400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:24.031001091 CET24005001987.120.116.245192.168.2.6
                Jan 15, 2025 03:53:25.027486086 CET500202400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:25.032388926 CET24005002087.120.116.245192.168.2.6
                Jan 15, 2025 03:53:25.032469988 CET500202400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:25.035712004 CET500202400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:25.040462017 CET24005002087.120.116.245192.168.2.6
                Jan 15, 2025 03:53:26.638124943 CET24005002087.120.116.245192.168.2.6
                Jan 15, 2025 03:53:26.639648914 CET500202400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:26.639648914 CET500202400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:26.644488096 CET24005002087.120.116.245192.168.2.6
                Jan 15, 2025 03:53:27.652246952 CET500222400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:27.657238960 CET24005002287.120.116.245192.168.2.6
                Jan 15, 2025 03:53:27.657341003 CET500222400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:27.660156012 CET500222400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:27.664984941 CET24005002287.120.116.245192.168.2.6
                Jan 15, 2025 03:53:29.427689075 CET24005002287.120.116.245192.168.2.6
                Jan 15, 2025 03:53:29.429904938 CET500222400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:29.429941893 CET500222400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:29.434853077 CET24005002287.120.116.245192.168.2.6
                Jan 15, 2025 03:53:30.402452946 CET500232400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:30.407764912 CET24005002387.120.116.245192.168.2.6
                Jan 15, 2025 03:53:30.407850027 CET500232400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:30.412923098 CET500232400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:30.417712927 CET24005002387.120.116.245192.168.2.6
                Jan 15, 2025 03:53:32.046850920 CET24005002387.120.116.245192.168.2.6
                Jan 15, 2025 03:53:32.046933889 CET500232400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:32.047024012 CET500232400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:32.051759958 CET24005002387.120.116.245192.168.2.6
                Jan 15, 2025 03:53:32.996234894 CET500242400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:33.001280069 CET24005002487.120.116.245192.168.2.6
                Jan 15, 2025 03:53:33.001656055 CET500242400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:33.005825043 CET500242400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:33.010611057 CET24005002487.120.116.245192.168.2.6
                Jan 15, 2025 03:53:34.617367983 CET24005002487.120.116.245192.168.2.6
                Jan 15, 2025 03:53:34.617455006 CET500242400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:34.617604971 CET500242400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:34.622306108 CET24005002487.120.116.245192.168.2.6
                Jan 15, 2025 03:53:35.527587891 CET500252400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:35.532584906 CET24005002587.120.116.245192.168.2.6
                Jan 15, 2025 03:53:35.532666922 CET500252400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:35.538175106 CET500252400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:35.542988062 CET24005002587.120.116.245192.168.2.6
                Jan 15, 2025 03:53:37.152057886 CET24005002587.120.116.245192.168.2.6
                Jan 15, 2025 03:53:37.152143002 CET500252400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:37.152939081 CET500252400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:37.157779932 CET24005002587.120.116.245192.168.2.6
                Jan 15, 2025 03:53:38.027520895 CET500262400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:38.032474995 CET24005002687.120.116.245192.168.2.6
                Jan 15, 2025 03:53:38.032620907 CET500262400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:38.037724018 CET500262400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:38.042567015 CET24005002687.120.116.245192.168.2.6
                Jan 15, 2025 03:53:39.632786036 CET24005002687.120.116.245192.168.2.6
                Jan 15, 2025 03:53:39.635618925 CET500262400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:39.635670900 CET500262400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:39.640485048 CET24005002687.120.116.245192.168.2.6
                Jan 15, 2025 03:53:40.480730057 CET500272400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:40.485858917 CET24005002787.120.116.245192.168.2.6
                Jan 15, 2025 03:53:40.485929012 CET500272400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:40.490380049 CET500272400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:40.496246099 CET24005002787.120.116.245192.168.2.6
                Jan 15, 2025 03:53:42.105009079 CET24005002787.120.116.245192.168.2.6
                Jan 15, 2025 03:53:42.105079889 CET500272400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:42.105154991 CET500272400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:42.109915972 CET24005002787.120.116.245192.168.2.6
                Jan 15, 2025 03:53:42.933621883 CET500282400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:42.938705921 CET24005002887.120.116.245192.168.2.6
                Jan 15, 2025 03:53:42.938790083 CET500282400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:42.942327023 CET500282400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:42.947173119 CET24005002887.120.116.245192.168.2.6
                Jan 15, 2025 03:53:44.558903933 CET24005002887.120.116.245192.168.2.6
                Jan 15, 2025 03:53:44.559001923 CET500282400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:44.559031963 CET500282400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:44.563927889 CET24005002887.120.116.245192.168.2.6
                Jan 15, 2025 03:53:45.355462074 CET500292400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:45.360831976 CET24005002987.120.116.245192.168.2.6
                Jan 15, 2025 03:53:45.363635063 CET500292400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:45.368349075 CET500292400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:45.373291016 CET24005002987.120.116.245192.168.2.6
                Jan 15, 2025 03:53:46.980585098 CET24005002987.120.116.245192.168.2.6
                Jan 15, 2025 03:53:46.982081890 CET500292400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:46.982131004 CET500292400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:46.986965895 CET24005002987.120.116.245192.168.2.6
                Jan 15, 2025 03:53:47.746329069 CET500302400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:47.760318041 CET24005003087.120.116.245192.168.2.6
                Jan 15, 2025 03:53:47.760499001 CET500302400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:47.764746904 CET500302400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:47.769567966 CET24005003087.120.116.245192.168.2.6
                Jan 15, 2025 03:53:49.370417118 CET24005003087.120.116.245192.168.2.6
                Jan 15, 2025 03:53:49.370482922 CET500302400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:49.370605946 CET500302400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:49.375493050 CET24005003087.120.116.245192.168.2.6
                Jan 15, 2025 03:53:50.121243000 CET500312400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:50.126276970 CET24005003187.120.116.245192.168.2.6
                Jan 15, 2025 03:53:50.129647970 CET500312400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:50.133131027 CET500312400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:50.137926102 CET24005003187.120.116.245192.168.2.6
                Jan 15, 2025 03:53:51.781323910 CET24005003187.120.116.245192.168.2.6
                Jan 15, 2025 03:53:51.781419992 CET500312400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:51.781455994 CET500312400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:51.786254883 CET24005003187.120.116.245192.168.2.6
                Jan 15, 2025 03:53:52.496095896 CET500322400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:52.501204014 CET24005003287.120.116.245192.168.2.6
                Jan 15, 2025 03:53:52.503762960 CET500322400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:52.507159948 CET500322400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:52.512042999 CET24005003287.120.116.245192.168.2.6
                Jan 15, 2025 03:53:54.119244099 CET24005003287.120.116.245192.168.2.6
                Jan 15, 2025 03:53:54.119693041 CET500322400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:54.123595953 CET500322400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:54.128599882 CET24005003287.120.116.245192.168.2.6
                Jan 15, 2025 03:53:54.808695078 CET500332400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:54.813672066 CET24005003387.120.116.245192.168.2.6
                Jan 15, 2025 03:53:54.813749075 CET500332400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:54.818295002 CET500332400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:54.823126078 CET24005003387.120.116.245192.168.2.6
                Jan 15, 2025 03:53:56.414171934 CET24005003387.120.116.245192.168.2.6
                Jan 15, 2025 03:53:56.414225101 CET500332400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:56.414307117 CET500332400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:56.419033051 CET24005003387.120.116.245192.168.2.6
                Jan 15, 2025 03:53:57.089834929 CET500342400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:57.096148014 CET24005003487.120.116.245192.168.2.6
                Jan 15, 2025 03:53:57.098782063 CET500342400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:57.102431059 CET500342400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:57.107362986 CET24005003487.120.116.245192.168.2.6
                Jan 15, 2025 03:53:58.730552912 CET24005003487.120.116.245192.168.2.6
                Jan 15, 2025 03:53:58.734421015 CET500342400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:58.734513044 CET500342400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:58.739399910 CET24005003487.120.116.245192.168.2.6
                Jan 15, 2025 03:53:59.386853933 CET500352400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:59.391861916 CET24005003587.120.116.245192.168.2.6
                Jan 15, 2025 03:53:59.391943932 CET500352400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:59.396375895 CET500352400192.168.2.687.120.116.245
                Jan 15, 2025 03:53:59.401204109 CET24005003587.120.116.245192.168.2.6
                Jan 15, 2025 03:54:01.071938038 CET24005003587.120.116.245192.168.2.6
                Jan 15, 2025 03:54:01.072076082 CET500352400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:01.072077036 CET500352400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:01.076898098 CET24005003587.120.116.245192.168.2.6
                Jan 15, 2025 03:54:01.699323893 CET500362400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:01.705862045 CET24005003687.120.116.245192.168.2.6
                Jan 15, 2025 03:54:01.709944963 CET500362400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:01.713255882 CET500362400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:01.718879938 CET24005003687.120.116.245192.168.2.6
                Jan 15, 2025 03:54:03.345391989 CET24005003687.120.116.245192.168.2.6
                Jan 15, 2025 03:54:03.347668886 CET500362400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:03.736371994 CET500362400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:03.741450071 CET24005003687.120.116.245192.168.2.6
                Jan 15, 2025 03:54:04.355401039 CET500372400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:04.360505104 CET24005003787.120.116.245192.168.2.6
                Jan 15, 2025 03:54:04.360569000 CET500372400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:04.363317966 CET500372400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:04.368148088 CET24005003787.120.116.245192.168.2.6
                Jan 15, 2025 03:54:05.982726097 CET24005003787.120.116.245192.168.2.6
                Jan 15, 2025 03:54:05.985373020 CET500372400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:05.985421896 CET500372400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:05.990266085 CET24005003787.120.116.245192.168.2.6
                Jan 15, 2025 03:54:06.574243069 CET500382400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:06.579241037 CET24005003887.120.116.245192.168.2.6
                Jan 15, 2025 03:54:06.579341888 CET500382400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:06.582493067 CET500382400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:06.587383032 CET24005003887.120.116.245192.168.2.6
                Jan 15, 2025 03:54:08.214334965 CET24005003887.120.116.245192.168.2.6
                Jan 15, 2025 03:54:08.214669943 CET500382400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:08.214669943 CET500382400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:08.219549894 CET24005003887.120.116.245192.168.2.6
                Jan 15, 2025 03:54:08.777384043 CET500392400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:08.782329082 CET24005003987.120.116.245192.168.2.6
                Jan 15, 2025 03:54:08.782386065 CET500392400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:08.786397934 CET500392400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:08.791268110 CET24005003987.120.116.245192.168.2.6
                Jan 15, 2025 03:54:10.401659012 CET24005003987.120.116.245192.168.2.6
                Jan 15, 2025 03:54:10.401861906 CET500392400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:10.401861906 CET500392400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:10.406681061 CET24005003987.120.116.245192.168.2.6
                Jan 15, 2025 03:54:10.949377060 CET500402400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:11.036547899 CET24005004087.120.116.245192.168.2.6
                Jan 15, 2025 03:54:11.036637068 CET500402400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:11.039721012 CET500402400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:11.045485973 CET24005004087.120.116.245192.168.2.6
                Jan 15, 2025 03:54:12.635387897 CET24005004087.120.116.245192.168.2.6
                Jan 15, 2025 03:54:12.635516882 CET500402400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:12.635607958 CET500402400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:12.640485048 CET24005004087.120.116.245192.168.2.6
                Jan 15, 2025 03:54:13.168003082 CET500412400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:13.173013926 CET24005004187.120.116.245192.168.2.6
                Jan 15, 2025 03:54:13.174068928 CET500412400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:13.177217007 CET500412400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:13.182029009 CET24005004187.120.116.245192.168.2.6
                Jan 15, 2025 03:54:14.794780970 CET24005004187.120.116.245192.168.2.6
                Jan 15, 2025 03:54:14.794990063 CET500412400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:14.794990063 CET500412400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:14.799952984 CET24005004187.120.116.245192.168.2.6
                Jan 15, 2025 03:54:15.308733940 CET500422400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:15.313793898 CET24005004287.120.116.245192.168.2.6
                Jan 15, 2025 03:54:15.317821026 CET500422400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:15.320843935 CET500422400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:15.325650930 CET24005004287.120.116.245192.168.2.6
                Jan 15, 2025 03:54:16.953380108 CET24005004287.120.116.245192.168.2.6
                Jan 15, 2025 03:54:16.953464985 CET500422400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:16.959208012 CET500422400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:16.964031935 CET24005004287.120.116.245192.168.2.6
                Jan 15, 2025 03:54:17.464956045 CET500432400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:17.470451117 CET24005004387.120.116.245192.168.2.6
                Jan 15, 2025 03:54:17.471046925 CET500432400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:17.474698067 CET500432400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:17.479574919 CET24005004387.120.116.245192.168.2.6
                Jan 15, 2025 03:54:19.126920938 CET24005004387.120.116.245192.168.2.6
                Jan 15, 2025 03:54:19.127043962 CET500432400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:19.127134085 CET500432400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:19.131941080 CET24005004387.120.116.245192.168.2.6
                Jan 15, 2025 03:54:19.615953922 CET500442400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:19.621521950 CET24005004487.120.116.245192.168.2.6
                Jan 15, 2025 03:54:19.622366905 CET500442400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:19.685911894 CET500442400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:19.690887928 CET24005004487.120.116.245192.168.2.6
                Jan 15, 2025 03:54:21.246639013 CET24005004487.120.116.245192.168.2.6
                Jan 15, 2025 03:54:21.246732950 CET500442400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:21.246819973 CET500442400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:21.251698017 CET24005004487.120.116.245192.168.2.6
                Jan 15, 2025 03:54:21.715095997 CET500452400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:21.720484972 CET24005004587.120.116.245192.168.2.6
                Jan 15, 2025 03:54:21.720561028 CET500452400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:21.723509073 CET500452400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:21.728518009 CET24005004587.120.116.245192.168.2.6
                Jan 15, 2025 03:54:23.355886936 CET24005004587.120.116.245192.168.2.6
                Jan 15, 2025 03:54:23.355981112 CET500452400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:23.356024027 CET500452400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:23.360919952 CET24005004587.120.116.245192.168.2.6
                Jan 15, 2025 03:54:23.808743954 CET500462400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:23.813659906 CET24005004687.120.116.245192.168.2.6
                Jan 15, 2025 03:54:23.813721895 CET500462400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:23.817136049 CET500462400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:23.821989059 CET24005004687.120.116.245192.168.2.6
                Jan 15, 2025 03:54:25.455101967 CET24005004687.120.116.245192.168.2.6
                Jan 15, 2025 03:54:25.455162048 CET500462400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:25.455241919 CET500462400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:25.460089922 CET24005004687.120.116.245192.168.2.6
                Jan 15, 2025 03:54:25.886833906 CET500472400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:25.891884089 CET24005004787.120.116.245192.168.2.6
                Jan 15, 2025 03:54:25.891972065 CET500472400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:25.895104885 CET500472400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:25.900852919 CET24005004787.120.116.245192.168.2.6
                Jan 15, 2025 03:54:27.512581110 CET24005004787.120.116.245192.168.2.6
                Jan 15, 2025 03:54:27.512717962 CET500472400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:27.512717962 CET500472400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:27.517565966 CET24005004787.120.116.245192.168.2.6
                Jan 15, 2025 03:54:27.933621883 CET500482400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:27.938601017 CET24005004887.120.116.245192.168.2.6
                Jan 15, 2025 03:54:27.942610979 CET500482400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:27.945966005 CET500482400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:27.950742960 CET24005004887.120.116.245192.168.2.6
                Jan 15, 2025 03:54:29.561222076 CET24005004887.120.116.245192.168.2.6
                Jan 15, 2025 03:54:29.563772917 CET500482400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:29.563826084 CET500482400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:29.568710089 CET24005004887.120.116.245192.168.2.6
                Jan 15, 2025 03:54:29.965240955 CET500492400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:29.971470118 CET24005004987.120.116.245192.168.2.6
                Jan 15, 2025 03:54:29.971772909 CET500492400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:29.976501942 CET500492400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:29.981504917 CET24005004987.120.116.245192.168.2.6
                Jan 15, 2025 03:54:31.590024948 CET24005004987.120.116.245192.168.2.6
                Jan 15, 2025 03:54:31.590137005 CET500492400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:31.590240002 CET500492400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:31.595115900 CET24005004987.120.116.245192.168.2.6
                Jan 15, 2025 03:54:31.980585098 CET500502400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:31.985610008 CET24005005087.120.116.245192.168.2.6
                Jan 15, 2025 03:54:31.985706091 CET500502400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:31.988776922 CET500502400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:31.993628979 CET24005005087.120.116.245192.168.2.6
                Jan 15, 2025 03:54:33.626246929 CET24005005087.120.116.245192.168.2.6
                Jan 15, 2025 03:54:33.626384974 CET500502400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:33.626579046 CET500502400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:33.631428003 CET24005005087.120.116.245192.168.2.6
                Jan 15, 2025 03:54:34.011991978 CET500512400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:34.016794920 CET24005005187.120.116.245192.168.2.6
                Jan 15, 2025 03:54:34.016921043 CET500512400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:34.021444082 CET500512400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:34.026222944 CET24005005187.120.116.245192.168.2.6
                Jan 15, 2025 03:54:35.618864059 CET24005005187.120.116.245192.168.2.6
                Jan 15, 2025 03:54:35.618968010 CET500512400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:35.619038105 CET500512400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:35.623927116 CET24005005187.120.116.245192.168.2.6
                Jan 15, 2025 03:54:35.996654987 CET500522400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:36.001746893 CET24005005287.120.116.245192.168.2.6
                Jan 15, 2025 03:54:36.003806114 CET500522400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:36.008429050 CET500522400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:36.013344049 CET24005005287.120.116.245192.168.2.6
                Jan 15, 2025 03:54:37.603030920 CET24005005287.120.116.245192.168.2.6
                Jan 15, 2025 03:54:37.607783079 CET500522400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:37.607860088 CET500522400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:37.612725973 CET24005005287.120.116.245192.168.2.6
                Jan 15, 2025 03:54:37.965111971 CET500532400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:37.970740080 CET24005005387.120.116.245192.168.2.6
                Jan 15, 2025 03:54:37.973844051 CET500532400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:37.977349997 CET500532400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:37.982254028 CET24005005387.120.116.245192.168.2.6
                Jan 15, 2025 03:54:39.571064949 CET24005005387.120.116.245192.168.2.6
                Jan 15, 2025 03:54:39.571156025 CET500532400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:39.571235895 CET500532400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:39.576091051 CET24005005387.120.116.245192.168.2.6
                Jan 15, 2025 03:54:39.918232918 CET500542400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:39.923234940 CET24005005487.120.116.245192.168.2.6
                Jan 15, 2025 03:54:39.923338890 CET500542400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:39.926347017 CET500542400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:39.931169033 CET24005005487.120.116.245192.168.2.6
                Jan 15, 2025 03:54:41.544028997 CET24005005487.120.116.245192.168.2.6
                Jan 15, 2025 03:54:41.546818972 CET500542400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:41.546819925 CET500542400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:41.551886082 CET24005005487.120.116.245192.168.2.6
                Jan 15, 2025 03:54:41.887099981 CET500552400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:41.892079115 CET24005005587.120.116.245192.168.2.6
                Jan 15, 2025 03:54:41.892159939 CET500552400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:41.895386934 CET500552400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:41.900213957 CET24005005587.120.116.245192.168.2.6
                Jan 15, 2025 03:54:43.514247894 CET24005005587.120.116.245192.168.2.6
                Jan 15, 2025 03:54:43.514334917 CET500552400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:43.514417887 CET500552400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:43.519352913 CET24005005587.120.116.245192.168.2.6
                Jan 15, 2025 03:54:43.839916945 CET500562400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:43.845071077 CET24005005687.120.116.245192.168.2.6
                Jan 15, 2025 03:54:43.845139980 CET500562400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:43.847896099 CET500562400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:43.852897882 CET24005005687.120.116.245192.168.2.6
                Jan 15, 2025 03:54:45.450206041 CET24005005687.120.116.245192.168.2.6
                Jan 15, 2025 03:54:45.450273991 CET500562400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:45.450345039 CET500562400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:45.455213070 CET24005005687.120.116.245192.168.2.6
                Jan 15, 2025 03:54:45.768903017 CET500572400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:45.774017096 CET24005005787.120.116.245192.168.2.6
                Jan 15, 2025 03:54:45.774096966 CET500572400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:45.842219114 CET500572400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:45.847291946 CET24005005787.120.116.245192.168.2.6
                Jan 15, 2025 03:54:47.387960911 CET24005005787.120.116.245192.168.2.6
                Jan 15, 2025 03:54:47.388118029 CET500572400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:47.388248920 CET500572400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:47.393112898 CET24005005787.120.116.245192.168.2.6
                Jan 15, 2025 03:54:47.683705091 CET500582400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:47.688750029 CET24005005887.120.116.245192.168.2.6
                Jan 15, 2025 03:54:47.688843966 CET500582400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:47.692840099 CET500582400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:47.697710991 CET24005005887.120.116.245192.168.2.6
                Jan 15, 2025 03:54:49.325920105 CET24005005887.120.116.245192.168.2.6
                Jan 15, 2025 03:54:49.326076031 CET500582400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:49.326076031 CET500582400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:49.331165075 CET24005005887.120.116.245192.168.2.6
                Jan 15, 2025 03:54:49.621296883 CET500592400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:49.626444101 CET24005005987.120.116.245192.168.2.6
                Jan 15, 2025 03:54:49.626699924 CET500592400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:49.629405022 CET500592400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:49.634239912 CET24005005987.120.116.245192.168.2.6
                Jan 15, 2025 03:54:51.247183084 CET24005005987.120.116.245192.168.2.6
                Jan 15, 2025 03:54:51.247416019 CET500592400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:51.247453928 CET500592400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:51.252372026 CET24005005987.120.116.245192.168.2.6
                Jan 15, 2025 03:54:51.527477026 CET500602400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:51.532418013 CET24005006087.120.116.245192.168.2.6
                Jan 15, 2025 03:54:51.532869101 CET500602400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:51.535650015 CET500602400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:51.540508032 CET24005006087.120.116.245192.168.2.6
                Jan 15, 2025 03:54:53.155425072 CET24005006087.120.116.245192.168.2.6
                Jan 15, 2025 03:54:53.155519009 CET500602400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:53.155572891 CET500602400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:53.160523891 CET24005006087.120.116.245192.168.2.6
                Jan 15, 2025 03:54:53.433805943 CET500612400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:53.438740969 CET24005006187.120.116.245192.168.2.6
                Jan 15, 2025 03:54:53.438807964 CET500612400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:53.443140030 CET500612400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:53.448010921 CET24005006187.120.116.245192.168.2.6
                Jan 15, 2025 03:54:55.060750961 CET24005006187.120.116.245192.168.2.6
                Jan 15, 2025 03:54:55.062335968 CET500612400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:55.062380075 CET500612400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:55.067584038 CET24005006187.120.116.245192.168.2.6
                Jan 15, 2025 03:54:55.324553013 CET500622400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:55.330847025 CET24005006287.120.116.245192.168.2.6
                Jan 15, 2025 03:54:55.330923080 CET500622400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:55.335057020 CET500622400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:55.340078115 CET24005006287.120.116.245192.168.2.6
                Jan 15, 2025 03:54:57.011348009 CET24005006287.120.116.245192.168.2.6
                Jan 15, 2025 03:54:57.011472940 CET500622400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:57.011624098 CET500622400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:57.016494036 CET24005006287.120.116.245192.168.2.6
                Jan 15, 2025 03:54:57.261873960 CET500642400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:57.267338991 CET24005006487.120.116.245192.168.2.6
                Jan 15, 2025 03:54:57.267443895 CET500642400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:57.270226955 CET500642400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:57.275074005 CET24005006487.120.116.245192.168.2.6
                Jan 15, 2025 03:54:58.908026934 CET24005006487.120.116.245192.168.2.6
                Jan 15, 2025 03:54:58.908122063 CET500642400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:58.908168077 CET500642400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:58.913074970 CET24005006487.120.116.245192.168.2.6
                Jan 15, 2025 03:54:59.152654886 CET500652400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:59.157830954 CET24005006587.120.116.245192.168.2.6
                Jan 15, 2025 03:54:59.157908916 CET500652400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:59.162003040 CET500652400192.168.2.687.120.116.245
                Jan 15, 2025 03:54:59.166928053 CET24005006587.120.116.245192.168.2.6
                Jan 15, 2025 03:55:00.797777891 CET24005006587.120.116.245192.168.2.6
                Jan 15, 2025 03:55:00.799649954 CET500652400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:00.799746037 CET500652400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:00.804801941 CET24005006587.120.116.245192.168.2.6
                Jan 15, 2025 03:55:01.043179989 CET500662400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:01.048206091 CET24005006687.120.116.245192.168.2.6
                Jan 15, 2025 03:55:01.052567959 CET500662400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:01.055335045 CET500662400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:01.060136080 CET24005006687.120.116.245192.168.2.6
                Jan 15, 2025 03:55:02.658929110 CET24005006687.120.116.245192.168.2.6
                Jan 15, 2025 03:55:02.659828901 CET500662400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:02.659867048 CET500662400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:02.664766073 CET24005006687.120.116.245192.168.2.6
                Jan 15, 2025 03:55:02.887155056 CET500672400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:02.892256021 CET24005006787.120.116.245192.168.2.6
                Jan 15, 2025 03:55:02.892329931 CET500672400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:02.895107985 CET500672400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:02.899955988 CET24005006787.120.116.245192.168.2.6
                Jan 15, 2025 03:55:06.915535927 CET24005006787.120.116.245192.168.2.6
                Jan 15, 2025 03:55:06.915608883 CET500672400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:06.915651083 CET500672400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:06.920488119 CET24005006787.120.116.245192.168.2.6
                Jan 15, 2025 03:55:07.137031078 CET500682400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:07.142119884 CET24005006887.120.116.245192.168.2.6
                Jan 15, 2025 03:55:07.143416882 CET500682400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:07.146589994 CET500682400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:07.151442051 CET24005006887.120.116.245192.168.2.6
                Jan 15, 2025 03:55:08.771703959 CET24005006887.120.116.245192.168.2.6
                Jan 15, 2025 03:55:08.773634911 CET500682400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:08.773684025 CET500682400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:08.778594017 CET24005006887.120.116.245192.168.2.6
                Jan 15, 2025 03:55:09.004348993 CET500692400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:09.009186029 CET24005006987.120.116.245192.168.2.6
                Jan 15, 2025 03:55:09.011624098 CET500692400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:09.041688919 CET500692400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:09.046582937 CET24005006987.120.116.245192.168.2.6
                Jan 15, 2025 03:55:10.623481035 CET24005006987.120.116.245192.168.2.6
                Jan 15, 2025 03:55:10.623543024 CET500692400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:10.623574018 CET500692400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:10.628397942 CET24005006987.120.116.245192.168.2.6
                Jan 15, 2025 03:55:10.840183973 CET500702400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:10.845854044 CET24005007087.120.116.245192.168.2.6
                Jan 15, 2025 03:55:10.845938921 CET500702400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:10.848653078 CET500702400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:10.853569031 CET24005007087.120.116.245192.168.2.6
                Jan 15, 2025 03:55:12.447890043 CET24005007087.120.116.245192.168.2.6
                Jan 15, 2025 03:55:12.451874018 CET500702400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:12.451936960 CET500702400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:12.456796885 CET24005007087.120.116.245192.168.2.6
                Jan 15, 2025 03:55:12.652517080 CET500712400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:12.657346010 CET24005007187.120.116.245192.168.2.6
                Jan 15, 2025 03:55:12.659892082 CET500712400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:12.662602901 CET500712400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:12.667454004 CET24005007187.120.116.245192.168.2.6
                Jan 15, 2025 03:55:14.278808117 CET24005007187.120.116.245192.168.2.6
                Jan 15, 2025 03:55:14.278997898 CET500712400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:14.278997898 CET500712400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:14.283926010 CET24005007187.120.116.245192.168.2.6
                Jan 15, 2025 03:55:14.480808020 CET500722400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:14.485848904 CET24005007287.120.116.245192.168.2.6
                Jan 15, 2025 03:55:14.485929012 CET500722400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:14.489814997 CET500722400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:14.495798111 CET24005007287.120.116.245192.168.2.6
                Jan 15, 2025 03:55:16.091641903 CET24005007287.120.116.245192.168.2.6
                Jan 15, 2025 03:55:16.091814995 CET500722400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:16.091814995 CET500722400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:16.096733093 CET24005007287.120.116.245192.168.2.6
                Jan 15, 2025 03:55:16.277565956 CET500732400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:16.282427073 CET24005007387.120.116.245192.168.2.6
                Jan 15, 2025 03:55:16.287444115 CET500732400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:16.290653944 CET500732400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:16.295511961 CET24005007387.120.116.245192.168.2.6
                Jan 15, 2025 03:55:17.923861980 CET24005007387.120.116.245192.168.2.6
                Jan 15, 2025 03:55:17.923995018 CET500732400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:17.924030066 CET500732400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:17.928756952 CET24005007387.120.116.245192.168.2.6
                Jan 15, 2025 03:55:18.105988026 CET500742400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:18.111090899 CET24005007487.120.116.245192.168.2.6
                Jan 15, 2025 03:55:18.111246109 CET500742400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:18.114543915 CET500742400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:18.119339943 CET24005007487.120.116.245192.168.2.6
                Jan 15, 2025 03:55:19.751929998 CET24005007487.120.116.245192.168.2.6
                Jan 15, 2025 03:55:19.752075911 CET500742400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:19.752176046 CET500742400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:19.756980896 CET24005007487.120.116.245192.168.2.6
                Jan 15, 2025 03:55:19.934089899 CET500752400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:19.939277887 CET24005007587.120.116.245192.168.2.6
                Jan 15, 2025 03:55:19.939374924 CET500752400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:19.942468882 CET500752400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:19.947344065 CET24005007587.120.116.245192.168.2.6
                Jan 15, 2025 03:55:21.562868118 CET24005007587.120.116.245192.168.2.6
                Jan 15, 2025 03:55:21.565936089 CET500752400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:21.565973043 CET500752400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:21.570755005 CET24005007587.120.116.245192.168.2.6
                Jan 15, 2025 03:55:21.746279001 CET500762400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:21.751334906 CET24005007687.120.116.245192.168.2.6
                Jan 15, 2025 03:55:21.751395941 CET500762400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:21.754966021 CET500762400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:21.759804964 CET24005007687.120.116.245192.168.2.6
                Jan 15, 2025 03:55:23.375386953 CET24005007687.120.116.245192.168.2.6
                Jan 15, 2025 03:55:23.377942085 CET500762400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:23.378016949 CET500762400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:23.384030104 CET24005007687.120.116.245192.168.2.6
                Jan 15, 2025 03:55:23.543261051 CET500772400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:23.549413919 CET24005007787.120.116.245192.168.2.6
                Jan 15, 2025 03:55:23.549508095 CET500772400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:23.552984953 CET500772400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:23.559004068 CET24005007787.120.116.245192.168.2.6
                Jan 15, 2025 03:55:25.150698900 CET24005007787.120.116.245192.168.2.6
                Jan 15, 2025 03:55:25.150772095 CET500772400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:25.150825024 CET500772400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:25.155555964 CET24005007787.120.116.245192.168.2.6
                Jan 15, 2025 03:55:25.309021950 CET500782400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:25.313885927 CET24005007887.120.116.245192.168.2.6
                Jan 15, 2025 03:55:25.313946009 CET500782400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:25.320658922 CET500782400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:25.325371981 CET24005007887.120.116.245192.168.2.6
                Jan 15, 2025 03:55:26.900355101 CET24005007887.120.116.245192.168.2.6
                Jan 15, 2025 03:55:26.900547981 CET500782400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:26.900548935 CET500782400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:26.905518055 CET24005007887.120.116.245192.168.2.6
                Jan 15, 2025 03:55:27.059027910 CET500792400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:27.064502954 CET24005007987.120.116.245192.168.2.6
                Jan 15, 2025 03:55:27.064579010 CET500792400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:27.068717003 CET500792400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:27.073601007 CET24005007987.120.116.245192.168.2.6
                Jan 15, 2025 03:55:28.650233984 CET24005007987.120.116.245192.168.2.6
                Jan 15, 2025 03:55:28.650327921 CET500792400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:28.650378942 CET500792400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:28.656042099 CET24005007987.120.116.245192.168.2.6
                Jan 15, 2025 03:55:28.808938026 CET500802400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:28.814116001 CET24005008087.120.116.245192.168.2.6
                Jan 15, 2025 03:55:28.814208031 CET500802400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:28.817507029 CET500802400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:28.822294950 CET24005008087.120.116.245192.168.2.6
                Jan 15, 2025 03:55:30.437328100 CET24005008087.120.116.245192.168.2.6
                Jan 15, 2025 03:55:30.439932108 CET500802400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:30.440347910 CET500802400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:30.445158005 CET24005008087.120.116.245192.168.2.6
                Jan 15, 2025 03:55:30.590126991 CET500812400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:30.595284939 CET24005008187.120.116.245192.168.2.6
                Jan 15, 2025 03:55:30.595381021 CET500812400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:30.598530054 CET500812400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:30.603379011 CET24005008187.120.116.245192.168.2.6
                Jan 15, 2025 03:55:32.217396021 CET24005008187.120.116.245192.168.2.6
                Jan 15, 2025 03:55:32.218938112 CET500812400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:32.218986034 CET500812400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:32.223810911 CET24005008187.120.116.245192.168.2.6
                Jan 15, 2025 03:55:32.355674028 CET500822400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:32.360506058 CET24005008287.120.116.245192.168.2.6
                Jan 15, 2025 03:55:32.362878084 CET500822400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:32.364404917 CET500822400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:32.369319916 CET24005008287.120.116.245192.168.2.6
                Jan 15, 2025 03:55:33.963022947 CET24005008287.120.116.245192.168.2.6
                Jan 15, 2025 03:55:33.963133097 CET500822400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:33.963186026 CET500822400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:33.967964888 CET24005008287.120.116.245192.168.2.6
                Jan 15, 2025 03:55:34.108500957 CET500832400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:34.113428116 CET24005008387.120.116.245192.168.2.6
                Jan 15, 2025 03:55:34.113504887 CET500832400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:34.116771936 CET500832400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:34.121603012 CET24005008387.120.116.245192.168.2.6
                Jan 15, 2025 03:55:35.733486891 CET24005008387.120.116.245192.168.2.6
                Jan 15, 2025 03:55:35.733580112 CET500832400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:35.733665943 CET500832400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:35.738564968 CET24005008387.120.116.245192.168.2.6
                Jan 15, 2025 03:55:35.871432066 CET500842400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:35.876372099 CET24005008487.120.116.245192.168.2.6
                Jan 15, 2025 03:55:35.879965067 CET500842400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:35.883218050 CET500842400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:35.888362885 CET24005008487.120.116.245192.168.2.6
                Jan 15, 2025 03:55:37.499677896 CET24005008487.120.116.245192.168.2.6
                Jan 15, 2025 03:55:37.500070095 CET500842400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:37.500102043 CET500842400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:37.504906893 CET24005008487.120.116.245192.168.2.6
                Jan 15, 2025 03:55:37.637042046 CET500852400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:37.641895056 CET24005008587.120.116.245192.168.2.6
                Jan 15, 2025 03:55:37.641961098 CET500852400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:37.645275116 CET500852400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:37.650032997 CET24005008587.120.116.245192.168.2.6
                Jan 15, 2025 03:55:39.278992891 CET24005008587.120.116.245192.168.2.6
                Jan 15, 2025 03:55:39.280091047 CET500852400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:39.282602072 CET500852400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:39.287435055 CET24005008587.120.116.245192.168.2.6
                Jan 15, 2025 03:55:39.402596951 CET500862400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:39.407733917 CET24005008687.120.116.245192.168.2.6
                Jan 15, 2025 03:55:39.407952070 CET500862400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:39.410701990 CET500862400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:39.415602922 CET24005008687.120.116.245192.168.2.6
                Jan 15, 2025 03:55:41.103554964 CET24005008687.120.116.245192.168.2.6
                Jan 15, 2025 03:55:41.103971958 CET500862400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:41.104016066 CET500862400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:41.108936071 CET24005008687.120.116.245192.168.2.6
                Jan 15, 2025 03:55:41.230830908 CET500872400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:41.235773087 CET24005008787.120.116.245192.168.2.6
                Jan 15, 2025 03:55:41.235894918 CET500872400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:41.239037037 CET500872400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:41.243793964 CET24005008787.120.116.245192.168.2.6
                Jan 15, 2025 03:55:42.878599882 CET24005008787.120.116.245192.168.2.6
                Jan 15, 2025 03:55:42.878679037 CET500872400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:42.878722906 CET500872400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:42.883632898 CET24005008787.120.116.245192.168.2.6
                Jan 15, 2025 03:55:42.996352911 CET500882400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:43.001266003 CET24005008887.120.116.245192.168.2.6
                Jan 15, 2025 03:55:43.001363039 CET500882400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:43.005978107 CET500882400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:43.011445999 CET24005008887.120.116.245192.168.2.6
                Jan 15, 2025 03:55:44.608395100 CET24005008887.120.116.245192.168.2.6
                Jan 15, 2025 03:55:44.608496904 CET500882400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:44.608582973 CET500882400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:44.613460064 CET24005008887.120.116.245192.168.2.6
                Jan 15, 2025 03:55:44.730791092 CET500892400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:44.735797882 CET24005008987.120.116.245192.168.2.6
                Jan 15, 2025 03:55:44.735879898 CET500892400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:44.738763094 CET500892400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:44.743671894 CET24005008987.120.116.245192.168.2.6
                Jan 15, 2025 03:55:46.354209900 CET24005008987.120.116.245192.168.2.6
                Jan 15, 2025 03:55:46.355984926 CET500892400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:46.356060028 CET500892400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:46.361025095 CET24005008987.120.116.245192.168.2.6
                Jan 15, 2025 03:55:46.468552113 CET500902400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:46.473584890 CET24005009087.120.116.245192.168.2.6
                Jan 15, 2025 03:55:46.474450111 CET500902400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:46.477269888 CET500902400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:46.482160091 CET24005009087.120.116.245192.168.2.6
                Jan 15, 2025 03:55:48.108403921 CET24005009087.120.116.245192.168.2.6
                Jan 15, 2025 03:55:48.108489990 CET500902400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:48.108557940 CET500902400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:48.113396883 CET24005009087.120.116.245192.168.2.6
                Jan 15, 2025 03:55:48.215159893 CET500912400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:48.220108032 CET24005009187.120.116.245192.168.2.6
                Jan 15, 2025 03:55:48.222054005 CET500912400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:48.224796057 CET500912400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:48.229625940 CET24005009187.120.116.245192.168.2.6
                Jan 15, 2025 03:55:49.843677044 CET24005009187.120.116.245192.168.2.6
                Jan 15, 2025 03:55:49.843749046 CET500912400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:49.846743107 CET500912400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:49.851644993 CET24005009187.120.116.245192.168.2.6
                Jan 15, 2025 03:55:49.950846910 CET500922400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:49.955966949 CET24005009287.120.116.245192.168.2.6
                Jan 15, 2025 03:55:49.956034899 CET500922400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:49.969739914 CET500922400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:49.974818945 CET24005009287.120.116.245192.168.2.6
                Jan 15, 2025 03:55:51.557281017 CET24005009287.120.116.245192.168.2.6
                Jan 15, 2025 03:55:51.557415009 CET500922400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:51.557463884 CET500922400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:51.562280893 CET24005009287.120.116.245192.168.2.6
                Jan 15, 2025 03:55:51.652755022 CET500932400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:51.657799006 CET24005009387.120.116.245192.168.2.6
                Jan 15, 2025 03:55:51.657896996 CET500932400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:51.661001921 CET500932400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:51.665787935 CET24005009387.120.116.245192.168.2.6
                Jan 15, 2025 03:55:53.280168056 CET24005009387.120.116.245192.168.2.6
                Jan 15, 2025 03:55:53.280261040 CET500932400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:53.280369043 CET500932400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:53.285321951 CET24005009387.120.116.245192.168.2.6
                Jan 15, 2025 03:55:53.371457100 CET500942400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:53.376564980 CET24005009487.120.116.245192.168.2.6
                Jan 15, 2025 03:55:53.376648903 CET500942400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:53.380441904 CET500942400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:53.385313034 CET24005009487.120.116.245192.168.2.6
                Jan 15, 2025 03:55:54.979027033 CET24005009487.120.116.245192.168.2.6
                Jan 15, 2025 03:55:54.984081030 CET500942400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:54.984139919 CET500942400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:54.989053965 CET24005009487.120.116.245192.168.2.6
                Jan 15, 2025 03:55:55.074562073 CET500952400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:55.079603910 CET24005009587.120.116.245192.168.2.6
                Jan 15, 2025 03:55:55.081752062 CET500952400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:55.084884882 CET500952400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:55.089677095 CET24005009587.120.116.245192.168.2.6
                Jan 15, 2025 03:55:56.722593069 CET24005009587.120.116.245192.168.2.6
                Jan 15, 2025 03:55:56.728142023 CET500952400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:56.728142023 CET500952400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:56.733161926 CET24005009587.120.116.245192.168.2.6
                Jan 15, 2025 03:55:56.824949026 CET500962400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:56.830100060 CET24005009687.120.116.245192.168.2.6
                Jan 15, 2025 03:55:56.830260038 CET500962400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:56.835416079 CET500962400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:56.840280056 CET24005009687.120.116.245192.168.2.6
                Jan 15, 2025 03:55:58.471281052 CET24005009687.120.116.245192.168.2.6
                Jan 15, 2025 03:55:58.471338034 CET500962400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:58.471510887 CET500962400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:58.476350069 CET24005009687.120.116.245192.168.2.6
                Jan 15, 2025 03:55:58.559369087 CET500972400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:58.564274073 CET24005009787.120.116.245192.168.2.6
                Jan 15, 2025 03:55:58.567018032 CET500972400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:58.578865051 CET500972400192.168.2.687.120.116.245
                Jan 15, 2025 03:55:58.583720922 CET24005009787.120.116.245192.168.2.6
                Jan 15, 2025 03:56:00.234673977 CET24005009787.120.116.245192.168.2.6
                Jan 15, 2025 03:56:00.234766006 CET500972400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:00.234853983 CET500972400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:00.239825010 CET24005009787.120.116.245192.168.2.6
                Jan 15, 2025 03:56:00.324790001 CET500982400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:00.329787016 CET24005009887.120.116.245192.168.2.6
                Jan 15, 2025 03:56:00.329888105 CET500982400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:00.333894014 CET500982400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:00.338751078 CET24005009887.120.116.245192.168.2.6
                Jan 15, 2025 03:56:01.971571922 CET24005009887.120.116.245192.168.2.6
                Jan 15, 2025 03:56:01.971692085 CET500982400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:01.971798897 CET500982400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:01.976546049 CET24005009887.120.116.245192.168.2.6
                Jan 15, 2025 03:56:02.059329033 CET500992400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:02.066319942 CET24005009987.120.116.245192.168.2.6
                Jan 15, 2025 03:56:02.066399097 CET500992400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:02.072093964 CET500992400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:02.076963902 CET24005009987.120.116.245192.168.2.6
                Jan 15, 2025 03:56:03.702630997 CET24005009987.120.116.245192.168.2.6
                Jan 15, 2025 03:56:03.704158068 CET500992400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:03.707649946 CET500992400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:03.712671995 CET24005009987.120.116.245192.168.2.6
                Jan 15, 2025 03:56:03.973910093 CET501002400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:03.978979111 CET24005010087.120.116.245192.168.2.6
                Jan 15, 2025 03:56:03.980041027 CET501002400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:04.150588036 CET501002400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:04.155635118 CET24005010087.120.116.245192.168.2.6
                Jan 15, 2025 03:56:05.629137993 CET24005010087.120.116.245192.168.2.6
                Jan 15, 2025 03:56:05.629333973 CET501002400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:05.629334927 CET501002400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:05.634330988 CET24005010087.120.116.245192.168.2.6
                Jan 15, 2025 03:56:05.715420961 CET501012400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:05.720382929 CET24005010187.120.116.245192.168.2.6
                Jan 15, 2025 03:56:05.720447063 CET501012400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:05.724539995 CET501012400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:05.729315042 CET24005010187.120.116.245192.168.2.6
                Jan 15, 2025 03:56:07.343180895 CET24005010187.120.116.245192.168.2.6
                Jan 15, 2025 03:56:07.343261957 CET501012400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:07.343302011 CET501012400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:07.348216057 CET24005010187.120.116.245192.168.2.6
                Jan 15, 2025 03:56:08.355761051 CET501022400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:08.360950947 CET24005010287.120.116.245192.168.2.6
                Jan 15, 2025 03:56:08.361037970 CET501022400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:08.363967896 CET501022400192.168.2.687.120.116.245
                Jan 15, 2025 03:56:08.368880033 CET24005010287.120.116.245192.168.2.6
                Jan 15, 2025 03:56:09.965425968 CET24005010287.120.116.245192.168.2.6
                Jan 15, 2025 03:56:09.965504885 CET501022400192.168.2.687.120.116.245

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:21:51:59
                Start date:14/01/2025
                Path:C:\Users\user\Desktop\Order Drawing.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\Order Drawing.exe"
                Imagebase:0xda0000
                File size:1'005'568 bytes
                MD5 hash:3A9DA3EDC40736CC832EDED3C389A661
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2127574047.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2132909890.0000000007510000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2127574047.0000000004C39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2127574047.0000000004C39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2127574047.0000000004C39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2127574047.0000000004C39000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2127574047.0000000004118000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                Reputation:low
                Has exited:true

                General

                Target ID:3
                Start time:21:52:00
                Start date:14/01/2025
                Path:C:\Users\user\Desktop\Order Drawing.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\Order Drawing.exe"
                Imagebase:0xc80000
                File size:1'005'568 bytes
                MD5 hash:3A9DA3EDC40736CC832EDED3C389A661
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2125985990.000000000116A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.2125581218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                Reputation:low
                Has exited:true

                General

                Target ID:4
                Start time:21:52:00
                Start date:14/01/2025
                Path:C:\ProgramData\Remcos\remcos.exe
                Wow64 process (32bit):true
                Commandline:"C:\ProgramData\Remcos\remcos.exe"
                Imagebase:0xc60000
                File size:1'005'568 bytes
                MD5 hash:3A9DA3EDC40736CC832EDED3C389A661
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Antivirus matches:
                • Detection: 100%, Joe Sandbox ML
                • Detection: 68%, ReversingLabs
                • Detection: 78%, Virustotal, Browse
                Reputation:low
                Has exited:true

                General

                Target ID:5
                Start time:21:52:01
                Start date:14/01/2025
                Path:C:\ProgramData\Remcos\remcos.exe
                Wow64 process (32bit):true
                Commandline:"C:\ProgramData\Remcos\remcos.exe"
                Imagebase:0xe10000
                File size:1'005'568 bytes
                MD5 hash:3A9DA3EDC40736CC832EDED3C389A661
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4576882925.00000000013E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:false

                General

                Target ID:6
                Start time:21:52:11
                Start date:14/01/2025
                Path:C:\ProgramData\Remcos\remcos.exe
                Wow64 process (32bit):true
                Commandline:"C:\ProgramData\Remcos\remcos.exe"
                Imagebase:0x850000
                File size:1'005'568 bytes
                MD5 hash:3A9DA3EDC40736CC832EDED3C389A661
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                General

                Target ID:7
                Start time:21:52:12
                Start date:14/01/2025
                Path:C:\ProgramData\Remcos\remcos.exe
                Wow64 process (32bit):false
                Commandline:"C:\ProgramData\Remcos\remcos.exe"
                Imagebase:0x60000
                File size:1'005'568 bytes
                MD5 hash:3A9DA3EDC40736CC832EDED3C389A661
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                General

                Target ID:8
                Start time:21:52:12
                Start date:14/01/2025
                Path:C:\ProgramData\Remcos\remcos.exe
                Wow64 process (32bit):true
                Commandline:"C:\ProgramData\Remcos\remcos.exe"
                Imagebase:0xb70000
                File size:1'005'568 bytes
                MD5 hash:3A9DA3EDC40736CC832EDED3C389A661
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2248582094.0000000001097000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                General

                Target ID:11
                Start time:21:52:20
                Start date:14/01/2025
                Path:C:\ProgramData\Remcos\remcos.exe
                Wow64 process (32bit):true
                Commandline:"C:\ProgramData\Remcos\remcos.exe"
                Imagebase:0xb20000
                File size:1'005'568 bytes
                MD5 hash:3A9DA3EDC40736CC832EDED3C389A661
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                General

                Target ID:12
                Start time:21:52:21
                Start date:14/01/2025
                Path:C:\ProgramData\Remcos\remcos.exe
                Wow64 process (32bit):true
                Commandline:"C:\ProgramData\Remcos\remcos.exe"
                Imagebase:0x6c0000
                File size:1'005'568 bytes
                MD5 hash:3A9DA3EDC40736CC832EDED3C389A661
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2334188947.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                General

                Target ID:13
                Start time:21:52:29
                Start date:14/01/2025
                Path:C:\ProgramData\Remcos\remcos.exe
                Wow64 process (32bit):true
                Commandline:"C:\ProgramData\Remcos\remcos.exe"
                Imagebase:0x230000
                File size:1'005'568 bytes
                MD5 hash:3A9DA3EDC40736CC832EDED3C389A661
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                General

                Target ID:14
                Start time:21:52:29
                Start date:14/01/2025
                Path:C:\ProgramData\Remcos\remcos.exe
                Wow64 process (32bit):true
                Commandline:"C:\ProgramData\Remcos\remcos.exe"
                Imagebase:0x950000
                File size:1'005'568 bytes
                MD5 hash:3A9DA3EDC40736CC832EDED3C389A661
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.2418028511.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                Has exited:true

                General

                Target ID:15
                Start time:21:52:34
                Start date:14/01/2025
                Path:C:\Windows\System32\wbem\WMIADAP.exe
                Wow64 process (32bit):false
                Commandline:wmiadap.exe /F /T /R
                Imagebase:0x7ff64ef10000
                File size:182'272 bytes
                MD5 hash:1BFFABBD200C850E6346820E92B915DC
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                Disassembly

                No disassembly