Windows Analysis Report
https://maveuve.github.io/frlpodf/marynewreleasefax.html

Overview

General Information

Sample URL:	https://maveuve.github.io/frlpodf/marynewreleasefax.html
Analysis ID:	1518509
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Remcos RAT

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

C2 URLs / IPs found in malware configuration

Creates autostart registry keys with suspicious names

Downloads suspicious files via Chrome

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected suspicious crossdomain redirect

Drops PE files

HTML page contains hidden javascript code

HTTP GET or POST without a user agent

Launches processes in debugging mode, may be used to hinder debugging

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses reg.exe to modify the Windows registry

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Antivirus detection for URL or domain

Source: privmerkt.com

Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000D.00000002.2563583207.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "privmerkt.com:9583:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-9QRTYQ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2423957132.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2324228645.0000000010163000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2323301889.0000000002850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2563583207.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe PID: 3492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe PID: 6148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe PID: 5652, type: MEMORYSTR

Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000002.2324228645.0000000010163000.00000040.00000001.01000000.00000005.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_0fe8744f-e

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2324228645.0000000010163000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2323301889.0000000002850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe PID: 3492, type: MEMORYSTR

HTML page contains hidden javascript code

Source: https://maveuve.github.io/frlpodf/marynewreleasefax.html

HTTP Parser: Base64 decoded: {"version":3,"sources":["/cfsetup_build/src/orchestrator/turnstile/templates/turnstile.scss","%3Cinput%20css%20qtFLbZ%3E"],"names":[],"mappings":"AAmCA,gBACI,GACI,uBClCN,CACF,CDqCA,kBACI,GACI,mBCnCN,CACF,CDsCA,iBACI,MAEI,cCrCN,CDwCE,IACI,mBCtCN,CACF,CDyCA...

Source: https://maveuve.github.io/frlpodf/marynewreleasefax.html	HTTP Parser: No favicon
Source: https://maveuve.github.io/frlpodf/marynewreleasefax.html	HTTP Parser: No favicon
Source: https://maveuve.github.io/frlpodf/marynewreleasefax.html	HTTP Parser: No favicon
Source: https://maveuve.github.io/frlpodf/marynewreleasefax.html	HTTP Parser: No favicon

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

Unpacked PE file: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.unpack

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49749 version: TLS 1.2

Source:	Binary string: /app/crashsubmit?appname=SumatraPDFhttp://www.haihaisoft.comlibmupdf.pdbSumatraPDF.pdbSumatraPDF-prereleaseSumatraPDF.pdbSumatraPDF-1.5.3.0.pdbSumatraPDF.pdblibmupdf.pdbSumatraPDF-no-MuPDF.pdbhttp://kjkpub.s3.amazonaws.com/sumatrapdf/prerel/SumatraPDF-prerelease-SVN_PRE_RELEASE_VER.pdb.zipsymbols_tmp.ziphttp://kjkpub.s3.amazonaws.com/sumatrapdf/rel/SumatraPDF-1.5.3.0.pdb.zipsymbols_tmp.zipSUMATRAPDF_FULLDUMPHaihaisoft PDF Reader crashedSorry, that shouldn't have happened! source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: SumatraPDF-no-MuPDF.pdb source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: SumatraPDF-1.5.3.0.pdb source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: E:\building\360project\360sd\branches\beta\Build\x86\WhiteCache.pdb source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000002.2323953234.000000001013D000.00000002.00000001.01000000.00000005.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000002.2324907056.000000001039B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\_AppDiscovery_AppDiscovery_1.3.0@2\dev\AppDiscovery_scanner\scanner\src\ADScan\Release\bin\ADScan\ADScan.pdb source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2415952110.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2426201068.0000000004B48000.00000004.00000800.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2418692627.0000000003F60000.00000004.00000800.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2422479886.0000000004F3D000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000013.00000000.2438293164.000000000061E000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: xOdx>a0m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: libmupdf.pdb source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:49763 -> 172.111.163.227:9583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:49764 -> 172.111.163.227:9583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:49767 -> 45.74.48.2:9774

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: privmerkt.com

Detected suspicious crossdomain redirect

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	HTTP traffic: Redirect from: github.com to https://raw.githubusercontent.com/maveuve/vbdsz/refs/heads/main/marys%20organizer%202023%20release.zip
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	HTTP traffic: Redirect from: github.com to https://raw.githubusercontent.com/maveuve/vbdsz/refs/heads/main/marys%20organizer%202023%20release.zip

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.16:49765 -> 178.237.33.50:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.16:49768 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /frlpodf/marynewreleasefax.html HTTP/1.1Host: maveuve.github.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /bootstrap/4.3.1/css/bootstrap.min.css HTTP/1.1Host: stackpath.bootstrapcdn.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://maveuve.github.iosec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleReferer: https://maveuve.github.io/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /turnstile/v0/api.js?compat=recaptcha HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://maveuve.github.io/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /turnstile/v0/g/ec4b873d446c/api.js HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://maveuve.github.io/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /turnstile/v0/g/ec4b873d446c/api.js HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/5renj/0x4AAAAAAAktEy218PeM5fmO/auto/fbE/normal/auto/ HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://maveuve.github.io/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/orchestrate/chl_api/v1?ray=8c8c7ad8c96941a6&lang=auto HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/5renj/0x4AAAAAAAktEy218PeM5fmO/auto/fbE/normal/auto/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/cmg/1/wh0E0SXYnx6pTBdJW%2Fl926I%2BPRUplRdtQz3K9lHXs%2Fs%3D HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/5renj/0x4AAAAAAAktEy218PeM5fmO/auto/fbE/normal/auto/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: maveuve.github.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://maveuve.github.io/frlpodf/marynewreleasefax.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/cmg/1/wh0E0SXYnx6pTBdJW%2Fl926I%2BPRUplRdtQz3K9lHXs%2Fs%3D HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/orchestrate/chl_api/v1?ray=8c8c7ad8c96941a6&lang=auto HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/flow/ov1/621320543:1727280800:x-uSLD9blvM2sN0MY5eDk1KX-nemuunHuqvoVAWU97E/8c8c7ad8c96941a6/596e5d08887dcbd HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/pat/8c8c7ad8c96941a6/1727282678369/d41a30965b817c48f2b8012ecc5d4118160944ab876415a0adeddf7d6fb64e62/cwl0dNi4gO4wp8F HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/5renj/0x4AAAAAAAktEy218PeM5fmO/auto/fbE/normal/auto/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/i/8c8c7ad8c96941a6/1727282678373/4K3pZlDmL6zt7ib HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/5renj/0x4AAAAAAAktEy218PeM5fmO/auto/fbE/normal/auto/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/i/8c8c7ad8c96941a6/1727282678373/4K3pZlDmL6zt7ib HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=E7m3O887TFWMntR&MD=kMUKRooF HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/flow/ov1/621320543:1727280800:x-uSLD9blvM2sN0MY5eDk1KX-nemuunHuqvoVAWU97E/8c8c7ad8c96941a6/596e5d08887dcbd HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/flow/ov1/621320543:1727280800:x-uSLD9blvM2sN0MY5eDk1KX-nemuunHuqvoVAWU97E/8c8c7ad8c96941a6/596e5d08887dcbd HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /maveuve/vbdsz/raw/refs/heads/main/Marys%20Organizer%202023%20Release.zip HTTP/1.1Host: github.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://maveuve.github.io/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /maveuve/vbdsz/refs/heads/main/Marys%20Organizer%202023%20Release.zip HTTP/1.1Host: raw.githubusercontent.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://maveuve.github.io/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /frlpodf/marynewreleasefax.html HTTP/1.1Host: maveuve.github.ioConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9If-None-Match: "66f41242-10f5"If-Modified-Since: Wed, 25 Sep 2024 13:38:10 GMT
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/9m1ve/0x4AAAAAAAktEy218PeM5fmO/auto/fbE/normal/auto/ HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://maveuve.github.io/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/orchestrate/chl_api/v1?ray=8c8c7bc1cab943c1&lang=auto HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/9m1ve/0x4AAAAAAAktEy218PeM5fmO/auto/fbE/normal/auto/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/orchestrate/chl_api/v1?ray=8c8c7bc1cab943c1&lang=auto HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/flow/ov1/784762221:1727280895:DpZwutPQnAJ2xMIFwpiobNTMBlYJp9CWXlp9V5GN5Yo/8c8c7bc1cab943c1/4904f693d598ee1 HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/pat/8c8c7bc1cab943c1/1727282716834/454bfa27911b53eaf89b77fb676ac9ea7d67d7c4009c0340595e1039d45fc476/ANn6E4_AEvWbw_F HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/9m1ve/0x4AAAAAAAktEy218PeM5fmO/auto/fbE/normal/auto/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=E7m3O887TFWMntR&MD=kMUKRooF HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/i/8c8c7bc1cab943c1/1727282716836/wNiz968zyhOEG8- HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/9m1ve/0x4AAAAAAAktEy218PeM5fmO/auto/fbE/normal/auto/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/i/8c8c7bc1cab943c1/1727282716836/wNiz968zyhOEG8- HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/flow/ov1/784762221:1727280895:DpZwutPQnAJ2xMIFwpiobNTMBlYJp9CWXlp9V5GN5Yo/8c8c7bc1cab943c1/4904f693d598ee1 HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/flow/ov1/784762221:1727280895:DpZwutPQnAJ2xMIFwpiobNTMBlYJp9CWXlp9V5GN5Yo/8c8c7bc1cab943c1/4904f693d598ee1 HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /maveuve/vbdsz/raw/refs/heads/main/Marys%20Organizer%202023%20Release.zip HTTP/1.1Host: github.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://maveuve.github.io/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /maveuve/vbdsz/refs/heads/main/Marys%20Organizer%202023%20Release.zip HTTP/1.1Host: raw.githubusercontent.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://maveuve.github.io/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: maveuve.github.io
Source: global traffic	DNS traffic detected: DNS query: challenges.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: stackpath.bootstrapcdn.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: privmerkt.com
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: nwemarkets.com

Source: unknown

HTTP traffic detected: POST /cdn-cgi/challenge-platform/h/g/flow/ov1/621320543:1727280800:x-uSLD9blvM2sN0MY5eDk1KX-nemuunHuqvoVAWU97E/8c8c7ad8c96941a6/596e5d08887dcbd HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveContent-Length: 2740sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Content-type: application/x-www-form-urlencodedsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36CF-Challenge: 596e5d08887dcbdsec-ch-ua-platform: "Windows"Accept: */*Origin: https://challenges.cloudflare.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/5renj/0x4AAAAAAAktEy218PeM5fmO/auto/fbE/normal/auto/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 9115Server: GitHub.comContent-Type: text/html; charset=utf-8permissions-policy: interest-cohort=()ETag: "66f42b03-239b"Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self'X-GitHub-Request-Id: B0A8:16FC:DF5CDC:F64E2A:66F43DF5Accept-Ranges: bytesAge: 0Date: Wed, 25 Sep 2024 16:44:37 GMTVia: 1.1 varnishX-Served-By: cache-nyc-kteb1890089-NYCX-Cache: MISSX-Cache-Hits: 0X-Timer: S1727282678.712256,VS0,VE12Vary: Accept-EncodingX-Fastly-Request-ID: 4df56139da6771a9ee33d896ba1a2d7a1a250114
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 16:44:39 GMTContent-Type: application/jsonContent-Length: 7Connection: closecf-chl-out: 4IA3++4DQo/dQ/6htSqdo4nGtJCiIc21iik=$q2ffHhGJNXwllPmocache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Server: cloudflareCF-RAY: 8c8c7ae99f0d183d-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 16:44:42 GMTContent-Type: application/jsonContent-Length: 7Connection: closecf-chl-out: nY4+DH6ZBhG0Oqj/RFG0xMF8vFh5uwTGybA=$alOBOjM7O2DWM6MXcache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Server: cloudflareCF-RAY: 8c8c7afcbc4542b9-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 16:44:44 GMTContent-Type: application/jsonContent-Length: 7Connection: closecache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0cf-chl-out: yzYdkmFQqIKp4n/d8ojQnwwKrZsIgtD8TRU=$KqvhZj5kqJ9sfX1RServer: cloudflareCF-RAY: 8c8c7b098cfe0f63-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 16:45:18 GMTContent-Type: application/jsonContent-Length: 7Connection: closecache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0cf-chl-out: heThQ+4lTs7dNvOM9rk0oj2vvmHsAKe1d7U=$Ig+HqhGhMfGlFPmoServer: cloudflareCF-RAY: 8c8c7bdecf9a17f1-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 16:45:21 GMTContent-Type: application/jsonContent-Length: 7Connection: closecache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0cf-chl-out: cf//PbHEE7HjoGAaztXMbRYI2394GGHDrkU=$oTsqUDjJCW31GfGkServer: cloudflareCF-RAY: 8c8c7bf23c7b4402-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 16:45:23 GMTContent-Type: application/jsonContent-Length: 7Connection: closecache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0cf-chl-out: hiLtZWxjvfA5cR90Xv1b2YnN3f6C1ASxQe8=$bT7Mq3YK+vpHIjc+Server: cloudflareCF-RAY: 8c8c7bff2f2a19aa-EWR

Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://HDMHDMLoading...%s
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://blog.kowalczyk.info/software/sumatrapdf/translations.htmlContribute
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://blog.kowalczyk.info/software/sumatrapdf/translators.htmlThe
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://blog.kowalczyk.infoKrzysztof
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD%AF%E4%BB%B6PDF%E9%98%85%E8%AF%BB%E5%99%A8.aspxopen
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://cn.haihaisoft.comhttp://www.haihaisoft.comcnhttp://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000002.2563583207.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2313438225.0000000000DE7000.00000004.00000800.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2331062452.0000000000DDC000.00000004.00000800.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2313438225.0000000000E0C000.00000004.00000800.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000002.2563583207.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000002.2563583207.0000000000E11000.00000004.00000020.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2331062452.0000000000E11000.00000004.00000800.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2340389898.0000000000DE7000.00000004.00000800.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2331062452.0000000000E05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000002.2324228645.0000000010163000.00000040.00000001.01000000.00000005.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000002.2323301889.0000000002850000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2313438225.0000000000DE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpT
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2331062452.0000000000DF6000.00000004.00000800.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2313438225.0000000000DE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpV
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2331062452.0000000000DF6000.00000004.00000800.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2313438225.0000000000DE7000.00000004.00000800.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000002.2563583207.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpn
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://itexmac.sourceforge.net/SyncTeX.htmlJ
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://mailto:EmbeddedFilesTypeFilespecD%s%dR%s%sA%s%sKids.seen.seen.seenNumsSPStD%s.%d:%d:%dInfoPag
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://mupdf.comMuPDFpdf
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://p.yusukekamiyamane.com/Yusuke
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://william.famille-blum.org/William
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Digitized
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensed
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.drm-x.com/pdfversion.htm1.5.7.0..http://www.haihaisoft.com/PDF_Reader_download.aspxopenSo
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.drm-x.net/http://cn.drm-x.com/LicPrepare2008.aspxLicPrepare20082013.aspx.drm-x.com/2/%s?c
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.flashvidz.tk/Zenonprogram
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.freetype.org/FreeTypefont
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.haihaisoft.com/Contact.aspx
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.haihaisoft.com/Contact.aspx%u%?.Install_DirSoftware
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.haihaisoft.com/PDF_Reader_download.aspxhttp://www.drm-x.com/pdfversion.htmMS
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.haihaisoft.comSumatraPDF
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.haihaisoft.comlibmupdf.pdbSumatraPDF.pdbSumatraPDF-prereleaseSumatraPDF.pdbSumatraPDF-1.5
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000002.2324907056.0000000010375000.00000004.00001000.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000002.2323953234.0000000010119000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000002.2324907056.0000000010375000.00000004.00001000.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000002.2323953234.0000000010119000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: build.exe, 00000013.00000000.2438293164.000000000061E000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.symantec.com/XMLSchema/dcs/disc-protection
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2415952110.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2426201068.0000000004B48000.00000004.00000800.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2418692627.0000000003F60000.00000004.00000800.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2422479886.0000000004F3D000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000013.00000000.2438293164.000000000061E000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.symantec.com/XMLSchema/dcs/disc-results
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllbad
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 00000009.00000000.2148958453.00000000006C9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.zeniko.ch/#SumatraPDFSimon
Source: chromecache_75.1.dr	String found in binary or memory: https://getbootstrap.com/)
Source: chromecache_75.1.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: chromecache_74.1.dr	String found in binary or memory: https://githubstatus.com
Source: chromecache_74.1.dr	String found in binary or memory: https://help.github.com/pages/
Source: chromecache_74.1.dr	String found in binary or memory: https://twitter.com/githubstatus

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49749 version: TLS 1.2

Yara detected Keylogger Generic

Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2324228645.0000000010163000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2323301889.0000000002850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe PID: 3492, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2423957132.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2324228645.0000000010163000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2323301889.0000000002850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2563583207.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe PID: 3492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe PID: 6148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe PID: 5652, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10000000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10000000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000009.00000002.2324228645.0000000010163000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000002.2323301889.0000000002850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000002.2323301889.0000000002850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000009.00000002.2323301889.0000000002850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe PID: 3492, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Downloads suspicious files via Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\Marys Organizer 2023 Release.zip (copy)

Jump to dropped file

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f

Yara signature match

Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10163f0e.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.2850000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10000000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe.10000000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000009.00000002.2324228645.0000000010163000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000002.2323301889.0000000002850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000002.2323301889.0000000002850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000002.2323301889.0000000002850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe PID: 3492, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.expl.evad.win@37/33@21/12

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=2028,i,2931579537296338705,3953823219278610053,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://maveuve.github.io/frlpodf/marynewreleasefax.html"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"
Source: unknown	Process created: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: unknown	Process created: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=2028,i,2931579537296338705,3953823219278610053,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f	Jump to behavior

Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: k7rn7l32.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ntd3ll.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: k7rn7l32.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ntd3ll.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: oledlg.dll	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe	Jump to behavior

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco			Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000002.2563583207.0000000000E45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000002.2563583207.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000003.2313438225.0000000000E23000.00000004.00000800.00020000.00000000.sdmp, MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, 0000000D.00000002.2563583207.0000000000E29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-9QRTYQ			Jump to behavior
Source: C:\Users\user\Downloads\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-9QRTYQ			Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.68	www.google.com	United States	15169	GOOGLEUS	false
104.18.10.207	stackpath.bootstrapcdn.com	United States	13335	CLOUDFLARENETUS	false
216.58.212.164	unknown	United States	15169	GOOGLEUS	false
104.18.94.41	unknown	United States	13335	CLOUDFLARENETUS	false
104.18.95.41	challenges.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
140.82.121.4	github.com	United States	36459	GITHUBUS	false
185.199.111.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false
172.111.163.227	privmerkt.com	United States	32489	AMANAHA-NEWCA	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
185.199.108.153	maveuve.github.io	Netherlands	54113	FASTLYUS	false
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false

Name	Malicious	Antivirus Detection	Reputation
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/orchestrate/chl_api/v1?ray=8c8c7bc1cab943c1&lang=auto	false	Avira URL Cloud: safe	unknown
https://challenges.cloudflare.com/turnstile/v0/g/ec4b873d446c/api.js	false	Avira URL Cloud: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css	false	Avira URL Cloud: safe	unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/orchestrate/chl_api/v1?ray=8c8c7ad8c96941a6&lang=auto	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/maveuve/vbdsz/refs/heads/main/Marys%20Organizer%202023%20Release.zip	false	Avira URL Cloud: safe	unknown
https://maveuve.github.io/frlpodf/marynewreleasefax.html	false		unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/pat/8c8c7bc1cab943c1/1727282716834/454bfa27911b53eaf89b77fb676ac9ea7d67d7c4009c0340595e1039d45fc476/ANn6E4_AEvWbw_F	false	Avira URL Cloud: safe	unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/i/8c8c7ad8c96941a6/1727282678373/4K3pZlDmL6zt7ib	false	Avira URL Cloud: safe	unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/5renj/0x4AAAAAAAktEy218PeM5fmO/auto/fbE/normal/auto/	false	Avira URL Cloud: safe	unknown
privmerkt.com	true	Avira URL Cloud: malware	unknown
https://challenges.cloudflare.com/turnstile/v0/api.js?compat=recaptcha	false	Avira URL Cloud: safe	unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/9m1ve/0x4AAAAAAAktEy218PeM5fmO/auto/fbE/normal/auto/	false	Avira URL Cloud: safe	unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/cmg/1/wh0E0SXYnx6pTBdJW%2Fl926I%2BPRUplRdtQz3K9lHXs%2Fs%3D	false	Avira URL Cloud: safe	unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/flow/ov1/784762221:1727280895:DpZwutPQnAJ2xMIFwpiobNTMBlYJp9CWXlp9V5GN5Yo/8c8c7bc1cab943c1/4904f693d598ee1	false	Avira URL Cloud: safe	unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/flow/ov1/621320543:1727280800:x-uSLD9blvM2sN0MY5eDk1KX-nemuunHuqvoVAWU97E/8c8c7ad8c96941a6/596e5d08887dcbd	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown
https://maveuve.github.io/favicon.ico	false	Avira URL Cloud: safe	unknown
https://github.com/maveuve/vbdsz/raw/refs/heads/main/Marys%20Organizer%202023%20Release.zip	false	Avira URL Cloud: safe	unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/i/8c8c7bc1cab943c1/1727282716836/wNiz968zyhOEG8-	false	Avira URL Cloud: safe	unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/pat/8c8c7ad8c96941a6/1727282678369/d41a30965b817c48f2b8012ecc5d4118160944ab876415a0adeddf7d6fb64e62/cwl0dNi4gO4wp8F	false	Avira URL Cloud: safe	unknown

ID:	1518509
Product:	CloudBasic
Start time:	18:43:57
Start date:	25.09.2024
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\json[1].json	JSON data	18BC6D34FABB00C1E30D98E8DAEC814A	D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54	862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
C:\Users\user\AppData\Local\Temp\build.exe	PE32 executable (GUI) Intel 80386, for MS Windows	55FC1A86363D371667FFC9D4DF110A5E	97AB0AF74FCB6F2254BFBCCE912F1BCCCD58463B	A3A4B56DAAC71B1CE0B62F548C200323E603555438C7FB1452268BCA37C8E94F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Sep 25 15:44:34 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	CBA163034E087D35C9AFCF0DD3B253FA	39729153552909091E214599820182F01E6E4661	AB945296C7C38F7F02F27D787CED4D904ED2D7C13DA5BC6896BFC83D7D725FFC
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Sep 25 15:44:34 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	35587D847DFABC9B47B281A756BBDD68	0EAD7690786F3C88D23AFFB747729CA329840ADB	49D37EA455CF37EB43B60F4A34BD2B4B406EDE85B56D0552CE9BDEF971CAAD39
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	1A904605BF55CCE6D317D8E41A0756B0	A94097A846F14AC9780C2F9B8EBE09E3199D0511	B99DCE50190D0791F98950E60F5A186499ADF6722C7149631A1A8B1E8C556957
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Sep 25 15:44:34 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	F5140CBA50D9D27A3FFB3E953996C6AD	E8724604F36FF6FA07E364CFDC1D7A7B298FD4E1	D2E0BE4BE885016388FF710F603EFC2D5497B1BA224BFDD2559E02EDE28C9968
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Sep 25 15:44:34 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	99A4276A078871B66F2762263AFE0947	73E296CEE20C52712B9BEC7EA953AEB1DF819A71	ADCB8272593A7AD5E57CD60F578EFAD75FFE93BADCD67136B22848891B7B2AC6
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Sep 25 15:44:34 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	24987E3EDC775F2F494F13F9272A6C50	0BF58A55681C85CC4C0FBEEE95C4B07EEC7E8894	AEE3F4746D759CB7B98ED2CA2CF3B8CF80C55DA069948EE3A7DC7C97273F8A2F
C:\Users\user\Downloads\6c0e1526-d764-492b-bf2b-91f1d0333ac8.tmp	Zip archive data, at least v2.0 to extract, compression method=deflate	CE31CB2F1F827B6D764A48203C924873	4882701D701101A39545C35F42D9E84E5D270967	F94828BA1F117715569273254FB316C2969884490DA30362FC2583856513DEB3
C:\Users\user\Downloads\Marys Organizer 2023 Release (1).zip.crdownload	Zip archive data, at least v2.0 to extract, compression method=deflate	86DB7A1BF9901AAA3E616A5A2F89366F	35CF4D7A6726C5DE355A1F0F903F233A82BCC0E3	7AF30DC27CECE97B74FD60BFE610B3935BA2163F46639F1B03DB4F8A993BDE6B
C:\Users\user\Downloads\Marys Organizer 2023 Release.zip (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	E2E67E92CC1D95783A0D5F19EDC451D8	C8C5A9002DE6C1E69DC700115B21F2F6EE452C3C	68F4332560B060339063E982589BECD336A8B1024C6C9BB62207FF2B6B58FB91
C:\Users\user\Downloads\Marys Organizer 2023 Release.zip.crdownload	Zip archive data, at least v2.0 to extract, compression method=deflate	E2E67E92CC1D95783A0D5F19EDC451D8	C8C5A9002DE6C1E69DC700115B21F2F6EE452C3C	68F4332560B060339063E982589BECD336A8B1024C6C9BB62207FF2B6B58FB91
C:\Users\user\Downloads\e882fb46-3f06-487e-bb0c-858422981dc4.tmp	Zip archive data, at least v2.0 to extract, compression method=deflate	69DE7E8AD144999ECE99C3A0EBE3FB36	4CC1B761B96B2C9783069B3335CE094584727B50	1AE16BC722CA8C0C2E4267175AE32DC78EB567106CC06A6EB9E688B08C14329E
Chrome Cache Entry: 73	PNG image data, 2 x 2, 8-bit/color RGB, non-interlaced	9246CCA8FC3C00F50035F28E9F6B7F7D	3AA538440F70873B574F40CD793060F53EC17A5D	C07D7D29E3C20FA6CA4C5D20663688D52BAD13E129AD82CE06B80EB187D9DC84
Chrome Cache Entry: 74	HTML document, ASCII text, with very long lines (3909)	1EB970CE5A18BEC7165F016DF8238566	9EFD1514AF80FE14DB4ED28E9BC53975B9EE089C	70D613E3ACFBA24FD2876FCBACAF639E1E111EF4D54BAF70761C47673F37D6A3
Chrome Cache Entry: 75	ASCII text, with very long lines (65324)	A15C2AC3234AA8F6064EF9C1F7383C37	6E10354828454898FDA80F55F3DECB347FD9ED21	60B19E5DA6A9234FF9220668A5EC1125C157A268513256188EE80F2D2C8D8D36
Chrome Cache Entry: 76	PNG image data, 65 x 64, 8-bit/color RGB, non-interlaced	82E6AF246704D116991A1AACB8EBF4E5	AE821DB4DE2E8BD81FCDBEA11417A9DC3B296117	E2605EFCE7C3E329284305BBEEB19EAD45601BBC9C67977E9BA9B88B079B4B00
Chrome Cache Entry: 77	ASCII text, with very long lines (47261)	E07E7ED6F75A7D48B3DF3C153EB687EB	4601D83C67CC128D1E75D3E035FB8A3BDFA1EE34	96BD1C81D59D6AC2EC9F8EBE4937A315E85443667C5728A7CD9053848DD8D3D7
Chrome Cache Entry: 78	PNG image data, 37 x 4, 8-bit/color RGB, non-interlaced	DD04BB1D3DEFFB2EA63160F2AECD0041	3DB871A540A5240A29468BA3FC1692210190F3D7	CC8D3991DB1071DCDB1980672B1786CDFB9BBBAA93A2D01F737DC29A24490F86
Chrome Cache Entry: 79	PNG image data, 65 x 64, 8-bit/color RGB, non-interlaced	82E6AF246704D116991A1AACB8EBF4E5	AE821DB4DE2E8BD81FCDBEA11417A9DC3B296117	E2605EFCE7C3E329284305BBEEB19EAD45601BBC9C67977E9BA9B88B079B4B00
Chrome Cache Entry: 80	PNG image data, 37 x 4, 8-bit/color RGB, non-interlaced	DD04BB1D3DEFFB2EA63160F2AECD0041	3DB871A540A5240A29468BA3FC1692210190F3D7	CC8D3991DB1071DCDB1980672B1786CDFB9BBBAA93A2D01F737DC29A24490F86
Chrome Cache Entry: 81	ASCII text, with very long lines (47261)	E07E7ED6F75A7D48B3DF3C153EB687EB	4601D83C67CC128D1E75D3E035FB8A3BDFA1EE34	96BD1C81D59D6AC2EC9F8EBE4937A315E85443667C5728A7CD9053848DD8D3D7
Chrome Cache Entry: 82	HTML document, ASCII text	E9999C4F3691C1FE27AB0CFC6E86BE53	36519D1493C5479DEBABFBE2D7FC4F49C26B52D2	49FF11A5AC98870828D1939731134179F20CE6A46C6750278906B3E6D6904946
Chrome Cache Entry: 83	PNG image data, 2 x 2, 8-bit/color RGB, non-interlaced	9246CCA8FC3C00F50035F28E9F6B7F7D	3AA538440F70873B574F40CD793060F53EC17A5D	C07D7D29E3C20FA6CA4C5D20663688D52BAD13E129AD82CE06B80EB187D9DC84
Chrome Cache Entry: 84	Zip archive data, at least v2.0 to extract, compression method=deflate	86DB7A1BF9901AAA3E616A5A2F89366F	35CF4D7A6726C5DE355A1F0F903F233A82BCC0E3	7AF30DC27CECE97B74FD60BFE610B3935BA2163F46639F1B03DB4F8A993BDE6B

Windows Analysis Report https://maveuve.github.io/frlpodf/marynewreleasefax.html

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Phishing

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
https://maveuve.github.io/frlpodf/marynewreleasefax.html

Malware Threat Intel
Provided by