Edit tour

Windows Analysis Report
https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741430935739

Overview

General Information

Sample URL:	https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741
Analysis ID:	1633116
Infos:

Detection

Remcos, DBatLoader

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Detected Remcos RAT

Early bird code injection technique detected

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Allocates memory in foreign processes

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Queues an APC in another process (thread injection)

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Uses dynamic DNS services

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the user directory

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6800 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7028 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,12069103136976824217,1151327071205399440,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5936 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741430935739" MD5: E81F54E6C1129887AEA47E7D092680BF)

rundll32.exe (PID: 5840 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

List Of required Pump Spares,Xls.exe (PID: 3004 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe" MD5: 222C293BB11D11C06A3354E257C85035)

cmd.exe (PID: 3328 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\4976.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

esentutl.exe (PID: 6440 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)

alpha.pif (PID: 2284 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

alpha.pif (PID: 2016 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6324 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\7811.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 6420 cmdline: ping 127.0.0.1 -n 10 MD5: B3624DD758CCECF93A1226CEF252CA12)

SndVol.exe (PID: 7216 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d770:$a1: Remcos restarted by watchdog! 0x6ddc0:$a3: %02i:%02i:%02i:%03i
00000011.00000002.2224658697.00000000023F9000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6dcc8:$a1: Remcos restarted by watchdog! 0x6e318:$a3: %02i:%02i:%02i:%03i
00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
00000018.00000002.2404479578.0000000033227000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 11 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe, ProcessId: 3004, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.pif, NewProcessName: C:\Users\Public\alpha.pif, OriginalFileName: C:\Users\Public\alpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\4976.cmd"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3328, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , ProcessId: 2284, ProcessName: alpha.pif

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\\Users\\user\\Links\Oxbpthwf.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe, ProcessId: 3004, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oxbpthwf

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.pif, NewProcessName: C:\Users\Public\alpha.pif, OriginalFileName: C:\Users\Public\alpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\4976.cmd"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3328, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , ProcessId: 2284, ProcessName: alpha.pif

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 8C A9 EF EF FC 15 56 C3 64 EB D2 D2 7E 5F DF 5C C7 6A 28 54 3E 2F 68 95 0C 83 B3 51 E9 B6 F4 87 3F DD CC F7 3B 24 9A B9 44 B8 3E 3D C4 26 3C F8 03 82 C5 F9 1A 6C F1 2A 02 08 FA BD FF 44 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\SndVol.exe, ProcessId: 7216, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-14MUP4\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-09T22:00:07.374174+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.16	49727	193.9.36.1	5200	TCP

Joe Sandbox Signatures

• AV Detection
• Exploits
• Software Vulnerabilities
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected Remcos RAT

Source: Yara match	File source: 00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2404479578.0000000033227000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: chrome.exe

Memory has grown: Private usage: 18MB later: 39MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:49727 -> 193.9.36.1:5200

Uses dynamic DNS services

Source: unknown

DNS query: name: baddieszn.duckdns.org

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.100.168
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.181.227
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.100.168
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741430935739 HTTP/1.1Host: drive.usercontent.google.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Browser-Channel: stableX-Browser-Year: 2025X-Browser-Validation: wTKGXmLo+sPWz1JKKbFzUyHly1Q=X-Browser-Copyright: Copyright 2025 Google LLC. All rights reserved.X-Client-Data: CLbgygE=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: baddieszn.duckdns.org

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: Yara match	File source: 00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2404479578.0000000033227000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir6800_429536495
Source: C:\Users\Public\alpha.pif	File created: C:\Windows
Source: C:\Users\Public\alpha.pif	File created: C:\Windows \SysWOW64

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir6800_429536495

Source: 00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.troj.expl.evad.win@43/9@5/93

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\140190b2-e06c-4ef3-891e-b0091b139139.tmp

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3936:120:WilError_03
Source: C:\Windows\SysWOW64\SndVol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-14MUP4

Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,12069103136976824217,1151327071205399440,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741430935739"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,12069103136976824217,1151327071205399440,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe "C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\4976.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\7811.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\4976.cmd""
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\7811.cmd""
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: url.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ???.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??????s?.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ????.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??l.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ????.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ????.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ieproxy.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: mssip32.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: smartscreenps.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??????????.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??l.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ????.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ???e???????????.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ???e???????????.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??l.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: ??l.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: tquery.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: cryptdll.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: spp.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: vssapi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: vsstrace.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: endpointdlp.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: endpointdlp.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: endpointdlp.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: endpointdlp.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: advapi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: advapi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: advapi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: advapi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: advapi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: advapi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: advapi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: sppwmi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: sppcext.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: winscard.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation

Yara detected DBatLoader

Source: Yara match

File source: 00000011.00000002.2224658697.00000000023F9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	File created: C:\Users\user\Links\Oxbpthwf.PIF			Jump to dropped file

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	File created: C:\Users\user\Links\Oxbpthwf.PIF			Jump to dropped file

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Oxbpthwf
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Oxbpthwf

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SndVol.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10

Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe

Process queried: DebugPort

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\SndVol.exe

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe

Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 3070000 protect: page execute and read and write

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe

Thread APC queued: target process: C:\Windows\SysWOW64\SndVol.exe

Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\SndVol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2404479578.0000000033227000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\SndVol.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-14MUP4

Yara detected Remcos RAT

Source: Yara match	File source: 00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2404479578.0000000033227000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	311 Process Injection	221 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Extra Window Memory Injection	311 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	12 System Information Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Source	Detection	Scanner	Label	Link
https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741430935739	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\alpha.pif	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
drive.usercontent.google.com	142.250.185.161	true	false	high
www.google.com	172.217.16.196	true	false	high
baddieszn.duckdns.org	193.9.36.1	true	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.238	unknown	United States	15169	GOOGLEUS	false
142.250.185.67	unknown	United States	15169	GOOGLEUS	false
64.233.167.84	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
193.9.36.1	baddieszn.duckdns.org	Czech Republic	204860	NETXNetXNetworksasCZ	true
142.250.185.161	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
142.250.186.174	unknown	United States	15169	GOOGLEUS	false
142.250.186.110	unknown	United States	15169	GOOGLEUS	false
142.250.184.227	unknown	United States	15169	GOOGLEUS	false
172.217.16.196	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1633116
Start date and time:	2025-03-09 21:59:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741430935739
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.win@43/9@5/93

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.181.238, 142.250.184.227, 142.250.186.110, 64.233.167.84, 142.250.185.110, 216.58.212.142
Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, redirector.gvt1.com, clientservices.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741430935739

Created / dropped Files

C:\ProgramData\4976.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe
File Type:	Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
Category:	dropped
Size (bytes):	19854
Entropy (8bit):	4.799579726516822
Encrypted:	false
SSDEEP:
MD5:	1DF650CCA01129127D30063634AB5C03
SHA1:	BC7172DEC0B12B05F2247BD5E17751EB33474D4E
SHA-256:	EDD4094E7A82A6FF8BE65D6B075E9513BD15A6B74F8032B5C10CE18F7191FA60
SHA-512:	0BDDF9ECAAEDB0C30103A1FBFB644D6D4F7608BD596403307ED89B2390568C3A29E2CF55D10E2EADBFC407EDE52EAF9A4F2321BA5F37E358A1039F73C7688FBD
Malicious:	false
Reputation:	unknown
Preview:	@%........%e%..... ....%c%.. .. ..%h%.....%o% % %..o.... %o%.%f%..%f%...%..c%...r...%l%......%s%... .%..@%.....%e%..%c%.....%h%... .....%o% .. % %. ...%o%........%f%.%f%..........%..s%. . ... %e%...... ...%t%.. .. .% %.....%"%.....%s%. ..%Z%.....%k%...%r% .... ...%=%.........%s%. %e%.%t%....... ..% %. ...... %"%.......%..%sZkr%"%... .. ...%t%...%w%..%V%.... .%Y%.....%=% ...... .%=%. .....%"%.. . ....%..%sZkr%"%.......%t%.%A%.....%h%......%U%....%M%.... . %m%........%L% .....%r%.%f%..%R%... %%twVY%r%.%e%.. . . ..%m%..........% %. .%"%..%..%sZkr%"%. .....%K%. ..%j% %M% ......%q%.... .....%h%...%Y% ...%E%.. %O%.

C:\ProgramData\7811.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe
File Type:	Unicode text, UTF-8 text, with very long lines (577), with CRLF line terminators
Category:	dropped
Size (bytes):	2860
Entropy (8bit):	4.335677764406247
Encrypted:	false
SSDEEP:
MD5:	9A020804EBA1FFAC2928D7C795144BBF
SHA1:	61FDC4135AFDC99E106912AEAFEAC9C8A967BECC
SHA-256:	A86C6C7A2BF9E12C45275A5E7EBEBD5E6D2BA302FE0A12600B7C9FDF283D9E63
SHA-512:	42F6D754F1BDBEB6E4CC7AEB57FF4C4D126944F950D260A0839911E576AD16002C16122F81C1D39FA529432DCA0A48C9ACFBB18804CA9044425C8E424A5518BE
Malicious:	false
Reputation:	unknown
Preview:	@%.....%e%........r%c%....r%h%rr%o%.o...% %... ..%o%..%f%r..r...%f%.. ......%.."%........%C% %:% .%\%.........%W% ...o.. .%i%...o...%n%o..r.....%d%.........%o%. ..%w%....r.%s%....% %...%\%.o....%S%... %y%.. ....%s%...%W% .%O%....%W%...%6%o.o.r%4%......%\%....%s%....%v%.........%c%......%h%..%o%.......%s%......%t%....o.....%.%.........%p%.......%i%.....%f%... .r...%"%..% % ...%>%.........%n%..........%u%.........o%l%.. .o...% %.r...r...% % ..%&%.......o%..p%........

C:\ProgramData\neo.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe
File Type:	Unicode text, UTF-8 text, with very long lines (372), with CRLF line terminators
Category:	dropped
Size (bytes):	17570
Entropy (8bit):	4.749675665870814
Encrypted:	false
SSDEEP:
MD5:	5BAF253744AD26F35BA17DB6B80763E9
SHA1:	6235B00643E324AC5FEA07F9ADAE9F2A0DB56B99
SHA-256:	9CBB41E6C4F8565A6D121B770FCF3F15A6891C8DF8BFBA6D0414B3AD3298BDBA
SHA-512:	5C949A081D922963745A3F0DEEE87C9D862D278889A6C7790AABF34BC09E04DCE7B3AB41EF7A4F584571CCA739AF0A1DEA4FA244C378696AC7EA6D6AC9B415F8
Malicious:	false
Reputation:	unknown
Preview:	@%... ...%e%....%c%........ .%h%.%o% ...... .% %.....%o%...... ..%f%.... %f%....%..s%... .%e%... ..%t% ........% %.......%"% ..%o%....... .%R%.... ...%W%....%d%......%=%...%s%.. ... %e%........ %t%.... % %. . . .%"%.. .......%..%oRWd%"%..%E%......%V% ...... ..%O%...%s%.. %=% .... %=%..... .%"%...%..%oRWd%"%. . .....%H%....... ..%F% .......%u%...%B%. . ...%q%..%x%... .%m%... ... .%o%....%X%.. .%C%... .%%EVOs%C%....... .%l% .%o%........%a%...... .%"%.. . %..%oRWd%"%.... .....%C%...%l%. .... ..%K%.....%K%... ... %T%.....%x%... %k%.. ... %q%..... ....%R%.. ... %w%.%%EVOs%r%. ... ...%e%..... ..%m%...% %......%"% ...%..%oRWd%"%. %C%. . .%M%....%m%.

C:\Users\Public\alpha.pif

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236544
Entropy (8bit):	6.4416694948877025
Encrypted:	false
SSDEEP:
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
SHA1:	4048488DE6BA4BFEF9EDF103755519F1F762668F
SHA-256:	4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
SHA-512:	80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\Downloads\140190b2-e06c-4ef3-891e-b0091b139139.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	5014
Entropy (8bit):	7.96161778783884
Encrypted:	false
SSDEEP:
MD5:	19CC85625A3D721157BB51658EB884AD
SHA1:	9324F7B83BD45BB6BA5E20EF7639FAD47627FA89
SHA-256:	0605AA637A7A0878E44501E1145B209FC8646068DD77AFF2EA13B8FF3E4D0BB5
SHA-512:	356E8FD6CE12489039F9C9C19AFF67D73C18C9A083AD47669B0BA4D11D1E2F74A5B27E211FA632F529A084C00BA50FC052EC278386B473D7501ACBB04DD7FCE7
Malicious:	false
Reputation:	unknown
Preview:	PK..........hZ................MV NEMO 1,PDF/PK..........hZk.e.K0....F.....MV NEMO 1,PDF/Inquiry MSCS-PR2024-2728,PDF.cmd.n..8A..p..2..V..Q..O..">.4.R5.....[8K:......c1JmV.?..'.c.....r/...L...N.......*.Z.&..V...>.L.M.or..v.:.6#]..j.W...(\K_"X.....&ZL)...L.5.`.Y.@.ZU8.Gg....O....O....2..D..x..A...b".i.(=. ..t..k.~.....V..7!..'U}...7-..R.1t`Q.\)d........!]...=.Y1....5.P....F..D3^#...;.!..7...uA...w....{...;~.\..2.M..I..'gc...../....z5.?...8e.#...7G}.....c.q..z.tL...%..F...&..MF.q}......<.vt.LM....>.....L...Q..'.\|6.[.."ax@......6-..sB.ZO}..........@5..{,........A0.v.....=4Z/_.H....a........A3.o.w.\|...}y.TUZ...].E.se.11%/.iw....5.%,./^.~.".v.......K.FJ.#...+3\|A>..G.....V..P..............`;......J.Jh........5".).u..........{...hY......\|..YT..`.O.d.1b$".........:.E...A....w6.(....!:...k2.....N=.}....s..]S...!.wl&.......<............K...9.m...2o....O.&.....[C.}7...CO....4.,`..#.`.E........wB.$.....a%I.\|u+Sr.h.V..W.U ..&r...,..%.v....U.n.C%...

C:\Users\user\Downloads\MV NEMO 1,PDF.zip (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	19CC85625A3D721157BB51658EB884AD
SHA1:	9324F7B83BD45BB6BA5E20EF7639FAD47627FA89
SHA-256:	0605AA637A7A0878E44501E1145B209FC8646068DD77AFF2EA13B8FF3E4D0BB5
SHA-512:	356E8FD6CE12489039F9C9C19AFF67D73C18C9A083AD47669B0BA4D11D1E2F74A5B27E211FA632F529A084C00BA50FC052EC278386B473D7501ACBB04DD7FCE7
Malicious:	false
Reputation:	unknown
Preview:	PK..........hZ................MV NEMO 1,PDF/PK..........hZk.e.K0....F.....MV NEMO 1,PDF/Inquiry MSCS-PR2024-2728,PDF.cmd.n..8A..p..2..V..Q..O..">.4.R5.....[8K:......c1JmV.?..'.c.....r/...L...N.......*.Z.&..V...>.L.M.or..v.:.6#]..j.W...(\K_"X.....&ZL)...L.5.`.Y.@.ZU8.Gg....O....O....2..D..x..A...b".i.(=. ..t..k.~.....V..7!..'U}...7-..R.1t`Q.\)d........!]...=.Y1....5.P....F..D3^#...;.!..7...uA...w....{...;~.\..2.M..I..'gc...../....z5.?...8e.#...7G}.....c.q..z.tL...%..F...&..MF.q}......<.vt.LM....>.....L...Q..'.\|6.[.."ax@......6-..sB.ZO}..........@5..{,........A0.v.....=4Z/_.H....a........A3.o.w.\|...}y.TUZ...].E.se.11%/.iw....5.%,./^.~.".v.......K.FJ.#...+3\|A>..G.....V..P..............`;......J.Jh........5".).u..........{...hY......\|..YT..`.O.d.1b$".........:.E...A....w6.(....!:...k2.....N=.}....s..]S...!.wl&.......<............K...9.m...2o....O.&.....[C.}7...CO....4.,`..#.`.E........wB.$.....a%I.\|u+Sr.h.V..W.U ..&r...,..%.v....U.n.C%...

C:\Users\user\Downloads\MV NEMO 1,PDF.zip.crdownload (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	19CC85625A3D721157BB51658EB884AD
SHA1:	9324F7B83BD45BB6BA5E20EF7639FAD47627FA89
SHA-256:	0605AA637A7A0878E44501E1145B209FC8646068DD77AFF2EA13B8FF3E4D0BB5
SHA-512:	356E8FD6CE12489039F9C9C19AFF67D73C18C9A083AD47669B0BA4D11D1E2F74A5B27E211FA632F529A084C00BA50FC052EC278386B473D7501ACBB04DD7FCE7
Malicious:	false
Reputation:	unknown
Preview:	PK..........hZ................MV NEMO 1,PDF/PK..........hZk.e.K0....F.....MV NEMO 1,PDF/Inquiry MSCS-PR2024-2728,PDF.cmd.n..8A..p..2..V..Q..O..">.4.R5.....[8K:......c1JmV.?..'.c.....r/...L...N.......*.Z.&..V...>.L.M.or..v.:.6#]..j.W...(\K_"X.....&ZL)...L.5.`.Y.@.ZU8.Gg....O....O....2..D..x..A...b".i.(=. ..t..k.~.....V..7!..'U}...7-..R.1t`Q.\)d........!]...=.Y1....5.P....F..D3^#...;.!..7...uA...w....{...;~.\..2.M..I..'gc...../....z5.?...8e.#...7G}.....c.q..z.tL...%..F...&..MF.q}......<.vt.LM....>.....L...Q..'.\|6.[.."ax@......6-..sB.ZO}..........@5..{,........A0.v.....=4Z/_.H....a........A3.o.w.\|...}y.TUZ...].E.se.11%/.iw....5.%,./^.~.".v.......K.FJ.#...+3\|A>..G.....V..P..............`;......J.Jh........5".).u..........{...hY......\|..YT..`.O.d.1b$".........:.E...A....w6.(....!:...k2.....N=.}....s..]S...!.wl&.......<............K...9.m...2o....O.&.....[C.}7...CO....4.,`..#.`.E........wB.$.....a%I.\|u+Sr.h.V..W.U ..&r...,..%.v....U.n.C%...

C:\Users\user\Links\Oxbpthwf.PIF

Download File

Process:	C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1661952
Entropy (8bit):	7.646882902772495
Encrypted:	false
SSDEEP:
MD5:	222C293BB11D11C06A3354E257C85035
SHA1:	92D0448B482866449C4F512C561A4F29F22361B1
SHA-256:	0833804BEAB831182EBF446C828867653C7B8F1BBE13292421574CDE78C7C70C
SHA-512:	8ECA8708AB931B17F0B5DCB178BCCABDC6DA03FB1E541F72F7777EECEA7D116E37BFEFCDE4C5E3EC3863CD5220FC70AD65662166C94D271AAF317623F4D3EDE3
Malicious:	true
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................\.............@..............................................@...........................0...$...............................b...........................p.......................6...............................text............................... ..`.itext.............................. ..`.data....?.......@..................@....bss.....6...............................idata...$...0...&..................@....tls....4....`...........................rdata.......p......................@..@.reloc...b.......d..................@..B.rsrc................^..............@..@.....................\..............@..@................................................................................................

C:\Users\user\Links\Oxbpthwf.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\user\\Links\\Oxbpthwf.PIF">), ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	98
Entropy (8bit):	5.19472499211448
Encrypted:	false
SSDEEP:
MD5:	955A21D4A725634E57CEA44433EAC639
SHA1:	077963F2D721598D32AC77DEF033E5676FC14FB7
SHA-256:	AC662F9258D8CA41834E997C9A430AF01F8C11B6D4631C496739F0F1568C5B82
SHA-512:	852EB1942EA9225DC5EAD1025AD97FAFF5FD20169D1D54BA5BDFEFC287CAFE65E1B239EE737422127F59BF201CF423950425E49B89ADBA1D55CA43572E4B0F71
Malicious:	false
Reputation:	unknown
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\user\\Links\\Oxbpthwf.PIF"..IconIndex=969225..HotKey=71..

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	725
Entropy (8bit):	4.868584691050065
Encrypted:	false
SSDEEP:
MD5:	27F901942E2BE9E01DA24E1C80941B62
SHA1:	324A01E9417C05287F26B5734155DA9D904AD763
SHA-256:	34CCF4E63793D0BFDD0A1E8A836D82C8EBB9114664F0BCA250D159BE4ACA9B5B
SHA-512:	6830C321D62454D97360CB7913F2AA674D74C08DC8FA62B3985CC0B685B735E980152626E45413DE19DAE9D79CDB2320187A87EFD0BE7558563113BDA853CAF2
Malicious:	false
Reputation:	unknown
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

⊘No static file info

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741430935739

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\ProgramData\4976.cmd

C:\ProgramData\7811.cmd

C:\ProgramData\neo.cmd

C:\Users\Public\alpha.pif

C:\Users\user\Downloads\140190b2-e06c-4ef3-891e-b0091b139139.tmp

C:\Users\user\Downloads\MV NEMO 1,PDF.zip (copy)

C:\Users\user\Downloads\MV NEMO 1,PDF.zip.crdownload (copy)

C:\Users\user\Links\Oxbpthwf.PIF

C:\Users\user\Links\Oxbpthwf.url

\Device\Null

Static File Info

Windows Analysis Report
https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741430935739