Windows Analysis Report
1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

AI detected suspicious sample

Source: Yara match	File source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 11.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.1273413093.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3736612366.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1306494613.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3736983061.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1306197099.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1305912992.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7456, type: MEMORYSTR

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	6_2_00433837
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00406A63 CryptUnprotectData,LoadLibraryA,GetProcAddress,CryptUnprotectData,	6_2_00406A63
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,	9_2_00404423

Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000000.1273413093.0000000000459000.00000002.00000001.01000000.00000004.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_956bbdb0-a

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 11.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.1273413093.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3736612366.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1306494613.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1306197099.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1305912992.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7456, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_004074FD _wcslen,CoGetObject,

6_2_004074FD

Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	6_2_0040C34D
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	6_2_00409253
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	6_2_0041C291
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	6_2_00409665
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0044E879 FindFirstFileExA,	6_2_0044E879
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	6_2_0040880C
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0040783C FindFirstFileW,FindNextFileW,	6_2_0040783C
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	6_2_00419AF5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	6_2_0040BB30
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	6_2_0040BD37
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_100010F1
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_10006580 FindFirstFileExA,	6_2_10006580
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0040AE51 FindFirstFileW,FindNextFileW,	9_2_0040AE51
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	10_2_00407EF8
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	11_2_00407898

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

6_2_00407C97

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49702 -> 84.32.44.139:1991
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49703 -> 84.32.44.139:1991
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49701 -> 84.32.44.139:1991
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49704 -> 84.32.44.139:1991

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: cavps7.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: cavps7.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.7:49701 -> 84.32.44.139:1991

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: NTT-LT-ASLT NTT-LT-ASLT

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49705 -> 178.237.33.50:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

6_2_0041B380

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3739172527.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000002.1309855073.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000009.00000003.1326057685.000000000099A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ccounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000009.00000003.1326057685.000000000099A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ccounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000002.1309855073.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3738878315.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000009.00000002.1327390759.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3738878315.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000009.00000002.1327390759.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: cavps7.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: bhvD06.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1305698681.000000000059F000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3738021667.0000000000540000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3736983061.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1330242273.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1332955919.0000000000540000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3737442433.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.3283867911.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1330242273.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3737442433.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp3U
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1330242273.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp:U
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.3283867911.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1330242273.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3737442433.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhvD06.tmp.9.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000002.1309855073.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000003.1309623760.000000000099D000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000003.1309681180.000000000099D000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000002.1309855073.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3739172527.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000002.1309855073.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000003.1309623760.000000000099D000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000003.1309681180.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comppData
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3739172527.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000002.1309855073.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000009.00000002.1327229826.0000000000193000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000002.1309855073.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c58
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac05
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?69c749c200c753dfb00f5bc8299ab8eb
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?a2555e10569a45fe03b885d268c50da9
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://fp-as.azureedge.net/apc/trans.gif?23ecc2fb73d617d9826364f47d1067db
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://fp-as.azureedge.net/apc/trans.gif?7bac4e73e9b20fcc41dc97447167937d
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-07-50-22/PreSignInSettingsConfig.json
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=d75433bcf1f9312f1975
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=ad62f4
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000002.1309855073.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhvD06.tmp.9.dr	String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

6_2_0040A2B8

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

6_2_0040B70E

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	6_2_004168C1
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	9_2_0040987A
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	9_2_004098E2
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	10_2_00406DFC
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	10_2_00406E9F
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	11_2_004068B5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	11_2_004072B5

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

6_2_0040B70E

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

6_2_0040A3E0

E-Banking Fraud

Contains functionalty to change the wallpaper

Source: Yara match	File source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 11.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.1273413093.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3736612366.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1306494613.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3736983061.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1306197099.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1305912992.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7456, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_0041C9E2 SystemParametersInfoW,

6_2_0041C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, type: SAMPLE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000006.00000000.1273413093.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000006.00000002.3736612366.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000000.1306494613.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000000.1306197099.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000000.1305912992.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7172, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7432, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7440, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7456, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	6_2_004180EF
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	6_2_004132D2
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,	6_2_0041BB09
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,	6_2_0041BB35
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,	9_2_0040DD85
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_00401806 NtdllDefWindowProc_W,	9_2_00401806
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_004018C0 NtdllDefWindowProc_W,	9_2_004018C0
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_004016FD NtdllDefWindowProc_A,	10_2_004016FD
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_004017B7 NtdllDefWindowProc_A,	10_2_004017B7
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_00402CAC NtdllDefWindowProc_A,	11_2_00402CAC
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_00402D66 NtdllDefWindowProc_A,	11_2_00402D66

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

6_2_004167B4

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0043E0CC	6_2_0043E0CC
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0041F0FA	6_2_0041F0FA
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00454159	6_2_00454159
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00438168	6_2_00438168
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_004461F0	6_2_004461F0
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0043E2FB	6_2_0043E2FB
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0045332B	6_2_0045332B
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0042739D	6_2_0042739D
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_004374E6	6_2_004374E6
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0043E558	6_2_0043E558
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00438770	6_2_00438770
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_004378FE	6_2_004378FE
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00433946	6_2_00433946
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0044D9C9	6_2_0044D9C9
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00427A46	6_2_00427A46
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0041DB62	6_2_0041DB62
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00427BAF	6_2_00427BAF
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00437D33	6_2_00437D33
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00435E5E	6_2_00435E5E
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00426E0E	6_2_00426E0E
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0043DE9D	6_2_0043DE9D
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00413FCA	6_2_00413FCA
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00436FEA	6_2_00436FEA
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_10017194	6_2_10017194
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_1000B5C1	6_2_1000B5C1
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0044B040	9_2_0044B040
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0043610D	9_2_0043610D
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_00447310	9_2_00447310
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0044A490	9_2_0044A490
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0040755A	9_2_0040755A
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0043C560	9_2_0043C560
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0044B610	9_2_0044B610
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0044D6C0	9_2_0044D6C0
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_004476F0	9_2_004476F0
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0044B870	9_2_0044B870
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0044081D	9_2_0044081D
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_00414957	9_2_00414957
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_004079EE	9_2_004079EE
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_00407AEB	9_2_00407AEB
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0044AA80	9_2_0044AA80
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_00412AA9	9_2_00412AA9
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_00404B74	9_2_00404B74
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_00404B03	9_2_00404B03
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0044BBD8	9_2_0044BBD8
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_00404BE5	9_2_00404BE5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_00404C76	9_2_00404C76
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_00415CFE	9_2_00415CFE
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_00416D72	9_2_00416D72
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_00446D30	9_2_00446D30
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_00446D8B	9_2_00446D8B
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_00406E8F	9_2_00406E8F
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_00405038	10_2_00405038
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_0041208C	10_2_0041208C
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_004050A9	10_2_004050A9
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_0040511A	10_2_0040511A
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_0043C13A	10_2_0043C13A
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_004051AB	10_2_004051AB
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_00449300	10_2_00449300
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_0040D322	10_2_0040D322
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_0044A4F0	10_2_0044A4F0
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_0043A5AB	10_2_0043A5AB
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_00413631	10_2_00413631
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_00446690	10_2_00446690
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_0044A730	10_2_0044A730
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_004398D8	10_2_004398D8
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_004498E0	10_2_004498E0
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_0044A886	10_2_0044A886
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_0043DA09	10_2_0043DA09
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_00438D5E	10_2_00438D5E
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_00449ED0	10_2_00449ED0
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_0041FE83	10_2_0041FE83
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_00430F54	10_2_00430F54
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_004050C2	11_2_004050C2
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_004014AB	11_2_004014AB
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_00405133	11_2_00405133
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_004051A4	11_2_004051A4
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_00401246	11_2_00401246
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_0040CA46	11_2_0040CA46
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_00405235	11_2_00405235
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_004032C8	11_2_004032C8
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_004222D9	11_2_004222D9
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_00401689	11_2_00401689
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_00402F60	11_2_00402F60

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: String function: 00434770 appears 42 times
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: String function: 00401E65 appears 35 times
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: String function: 00416760 appears 69 times

Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1303591020.000000000052A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1332455032.0000000000566000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1333128165.0000000000566000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1305603522.0000000000566000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3739172527.0000000003B6B000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1332955919.0000000000540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Binary or memory string: OriginalFileName vs 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Binary or memory string: OriginalFilename vs 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000002.1309855073.000000000041B000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000006.00000000.1273413093.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000006.00000002.3736612366.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000000.1306494613.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000000.1306197099.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000000.1305912992.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7172, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7432, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7440, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7456, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@7/3@2/2

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 9_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

9_2_004182CE

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		6_2_00417952
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,		11_2_00410DE1

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 9_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

9_2_00418758

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

6_2_0040F474

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

6_2_0041B4A8

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

6_2_0041AA4A

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-43JG4A

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

File created: C:\Users\user~1\AppData\Local\Temp\bhvD06.tmp

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: PG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: PG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: Software\	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: Rmc-43JG4A	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: Exe	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: Exe	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: Rmc-43JG4A	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: Inj	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: Inj	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: PG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: PG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: PG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: 8SG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: exepath	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: PG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: 8SG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: exepath	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: PG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: licence	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: PG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: PG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: PG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: PG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: PG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: PG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: dMG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: PG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: PG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: PSG	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: Administrator	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: User	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: del	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: del	6_2_0040E9C5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Command line argument: del	6_2_0040E9C5

Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

System information queried: HandleInformation

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000009.00000002.1327390759.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000A.00000002.1308207689.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3738878315.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000009.00000002.1327390759.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000009.00000002.1327390759.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000009.00000002.1327390759.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000009.00000002.1327390759.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000009.00000003.1326057685.000000000099A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000009.00000002.1327390759.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

ReversingLabs: Detection: 89%

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe "C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe"
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Process created: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\xttxrevmuropxyhmme"
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Process created: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\hnyqswgoizgciedqvprkl"
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Process created: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\jpebsprhwhyhkkrunalmokuw"
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Process created: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\xttxrevmuropxyhmme"	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Process created: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\hnyqswgoizgciedqvprkl"	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Process created: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\jpebsprhwhyhkkrunalmokuw"	Jump to behavior

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

File opened: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.cfg

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Detected unpacking (changes PE section rights)

Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Unpacked PE file: 9.2.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Unpacked PE file: 10.2.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Unpacked PE file: 11.2.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_00406A63 CryptUnprotectData,LoadLibraryA,GetProcAddress,CryptUnprotectData,

6_2_00406A63

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_3_00511A00 push ss; iretd	6_3_00511A36
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_3_00511A00 push ss; iretd	6_3_00511A36
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_3_00507B9C pushad ; ret	6_3_00507BA5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_3_00507B9C pushad ; ret	6_3_00507BA5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_3_00511A00 push ss; iretd	6_3_00511A36
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_3_00511A00 push ss; iretd	6_3_00511A36
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_3_00507B9C pushad ; ret	6_3_00507BA5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_3_00507B9C pushad ; ret	6_3_00507BA5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00457106 push ecx; ret	6_2_00457119
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00457A28 push eax; ret	6_2_00457A46
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00434E56 push ecx; ret	6_2_00434E69
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_10002806 push ecx; ret	6_2_10002819
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0044693D push ecx; ret	9_2_0044694D
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0044DB70 push eax; ret	9_2_0044DB84
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0044DB70 push eax; ret	9_2_0044DBAC
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_00451D54 push eax; ret	9_2_00451D61
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_0044B090 push eax; ret	10_2_0044B0A4
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_0044B090 push eax; ret	10_2_0044B0CC
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_00451D34 push eax; ret	10_2_00451D41
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_00444E71 push ecx; ret	10_2_00444E81
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_00414060 push eax; ret	11_2_00414074
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_00414060 push eax; ret	11_2_0041409C
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_00414039 push ecx; ret	11_2_00414049
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_004164EB push 0000006Ah; retf	11_2_004165C4
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_00416553 push 0000006Ah; retf	11_2_004165C4
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_00416555 push 0000006Ah; retf	11_2_004165C4

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

6_2_00406EB0

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

6_2_0041AA4A

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

6_2_0041CB50

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_0040F7A7 Sleep,ExitProcess,

6_2_0040F7A7

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 9_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,

9_2_0040DD85

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

6_2_0041A748

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Window / User API: threadDelayed 8096			Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Window / User API: threadDelayed 1890			Jump to behavior

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_6-53194

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

API coverage: 10.0 %

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe TID: 7208	Thread sleep count: 8096 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe TID: 7208	Thread sleep time: -24288000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe TID: 7208	Thread sleep count: 1890 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe TID: 7208	Thread sleep time: -5670000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	6_2_0040C34D
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	6_2_00409253
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	6_2_0041C291
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	6_2_00409665
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0044E879 FindFirstFileExA,	6_2_0044E879
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	6_2_0040880C
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0040783C FindFirstFileW,FindNextFileW,	6_2_0040783C
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	6_2_00419AF5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	6_2_0040BB30
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	6_2_0040BD37
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_100010F1
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_10006580 FindFirstFileExA,	6_2_10006580
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 9_2_0040AE51 FindFirstFileW,FindNextFileW,	9_2_0040AE51
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 10_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	10_2_00407EF8
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	11_2_00407898

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

6_2_00407C97

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 9_2_00418981 memset,GetSystemInfo,

9_2_00418981

Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3738021667.0000000000540000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1303591020.0000000000540000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1305394560.0000000000540000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1304492196.000000000052A000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3736983061.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1303591020.000000000052A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhvD06.tmp.9.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_004349F9

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

9_2_0040DD85

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_00406A63 CryptUnprotectData,LoadLibraryA,GetProcAddress,CryptUnprotectData,

6_2_00406A63

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_004432B5 mov eax, dword ptr fs:[00000030h]		6_2_004432B5
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_10004AB4 mov eax, dword ptr fs:[00000030h]		6_2_10004AB4

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_00411CFE SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,

6_2_00411CFE

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Process token adjusted: Debug

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_004349F9
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00434B47 SetUnhandledExceptionFilter,	6_2_00434B47
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0043BB22
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00434FDC
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_100060E2
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_10002B1C
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: 6_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_10002639

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

6_2_004180EF

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: NULL target: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: NULL target: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Section loaded: NULL target: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

6_2_004120F7

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_00419627 mouse_event,

6_2_00419627

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Process created: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\xttxrevmuropxyhmme"	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Process created: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\hnyqswgoizgciedqvprkl"	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Process created: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\jpebsprhwhyhkkrunalmokuw"	Jump to behavior

Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.3283675690.000000000059F000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3738206095.000000000059F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager&
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.3283675690.000000000059F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.3283867911.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3736983061.00000000004BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_00434C52 cpuid

6_2_00434C52

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: GetLocaleInfoA,	6_2_0040F8D1
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: EnumSystemLocalesW,	6_2_00452036
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_004520C3
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: GetLocaleInfoW,	6_2_00452313
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: EnumSystemLocalesW,	6_2_00448404
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_0045243C
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: GetLocaleInfoW,	6_2_00452543
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_00452610
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: GetLocaleInfoW,	6_2_004488ED
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	6_2_00451CD8
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: EnumSystemLocalesW,	6_2_00451F50
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: EnumSystemLocalesW,	6_2_00451F9B

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_00404F51 GetLocalTime,CreateEventA,CreateThread,

6_2_00404F51

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_0041B60D GetComputerNameExW,GetUserNameW,

6_2_0041B60D

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 6_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

6_2_00449190

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: 9_2_0041739B GetVersionExW,

9_2_0041739B

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Contains functionality to steal Chrome passwords or cookies

Source: Yara match	File source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 11.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.1273413093.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3736612366.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1306494613.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3736983061.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1306197099.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1305912992.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7456, type: MEMORYSTR

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

6_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		6_2_0040BB30
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: \key3.db		6_2_0040BB30

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: ESMTPPassword	10_2_004033F0
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	10_2_00402DB3
Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	10_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7432, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-43JG4A

Source: Yara match	File source: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 11.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.1273413093.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3736612366.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1306494613.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3736983061.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1306197099.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1305912992.0000000000459000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe PID: 7456, type: MEMORYSTR

Source: C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Code function: cmd.exe

6_2_0040569A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	13 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	2 Obfuscated Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	Logon Script (Windows)	1 Access Token Manipulation	1 Software Packing	2 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	1 DLL Side-Loading	3 Credentials In Files	3 File and Directory Discovery	Distributed Component Object Model	111 Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	222 Process Injection	1 Bypass User Account Control	LSA Secrets	38 System Information Discovery	SSH	3 Clipboard Data	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Security Software Discovery	VNC	GUI Input Capture	22 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	222 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	89%	ReversingLabs	Win32.Backdoor.Remcos
1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	100%	Avira	BDS/Backdoor.Gen
1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.imvu.comr	0%	URL Reputation	safe
http://www.imvu.com	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
http://geoplugin.net/json.gp	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
https://login.yahoo.com/config/login	0%	URL Reputation	safe
http://www.ebuddy.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cavps7.duckdns.org	84.32.44.139	true	true		unknown
geoplugin.net	178.237.33.50	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
cavps7.duckdns.org	true		unknown
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P	bhvD06.tmp.9.dr	false		unknown
https://www.office.com/	bhvD06.tmp.9.dr	false		unknown
http://geoplugin.net/json.gp:U	1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1330242273.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://fp-afd.azurefd.us/apc/trans.gif?a2555e10569a45fe03b885d268c50da9	bhvD06.tmp.9.dr	false		unknown
http://www.imvu.comr	1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3739172527.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000002.1309855073.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://geoplugin.net/json.gpl	1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.3283867911.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1330242273.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3737442433.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aefd.nelreports.net/api/report?cat=bingth	bhvD06.tmp.9.dr	false		unknown
http://www.imvu.com	1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000003.1309623760.000000000099D000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000003.1309681180.000000000099D000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000002.1309855073.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aefd.nelreports.net/api/report?cat=wsb	bhvD06.tmp.9.dr	false		unknown
http://www.imvu.comppData	1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000003.1309623760.000000000099D000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000003.1309681180.000000000099D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.nirsoft.net	1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000009.00000002.1327229826.0000000000193000.00000004.00000010.00020000.00000000.sdmp	false		unknown
https://aefd.nelreports.net/api/report?cat=bingaotak	bhvD06.tmp.9.dr	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	bhvD06.tmp.9.dr	false		unknown
https://deff.nelreports.net/api/report?cat=msn	bhvD06.tmp.9.dr	false	URL Reputation: safe	unknown
https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac05	bhvD06.tmp.9.dr	false		unknown
https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c58	bhvD06.tmp.9.dr	false		unknown
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3739172527.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000002.1309855073.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		unknown
http://geoplugin.net/json.gp3U	1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.3283867911.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000003.1330242273.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 00000006.00000002.3737442433.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com	1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000002.1309855073.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		unknown
https://aefd.nelreports.net/api/report?cat=bingaot	bhvD06.tmp.9.dr	false		unknown
https://fp-afd.azurefd.us/apc/trans.gif?69c749c200c753dfb00f5bc8299ab8eb	bhvD06.tmp.9.dr	false		unknown
http://geoplugin.net/json.gp/C	1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	false	URL Reputation: safe	unknown
https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat	bhvD06.tmp.9.dr	false		unknown
https://aefd.nelreports.net/api/report?cat=bingrms	bhvD06.tmp.9.dr	false		unknown
https://www.google.com/accounts/servicelogin	1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	false		unknown
https://login.yahoo.com/config/login	1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe	false	URL Reputation: safe	unknown
http://www.nirsoft.net/	1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000002.1309855073.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		unknown
https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&	bhvD06.tmp.9.dr	false		unknown
http://www.ebuddy.com	1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe, 0000000B.00000002.1309855073.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
84.32.44.139	cavps7.duckdns.org	Lithuania		33922	NTT-LT-ASLT	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1527258
Start date and time:	2024-10-06 21:59:19 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.expl.evad.winEXE@7/3@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 146 Number of non-executed functions: 292
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Simulations

Behavior and APIs

Time	Type	Description
17:16:17	API Interceptor	4440974x Sleep call for process: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
84.32.44.139	MKWbWHd5Ni.rtf	Get hash	malicious	Remcos	Browse
84.32.44.139	GEJMING DUO USD 20241002144902.docx.doc	Get hash	malicious	Remcos	Browse
178.237.33.50	na.rtf	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	na.rtf	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	na.rtf	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	MKWbWHd5Ni.rtf	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	DSpWOKW7zn.rtf	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	DHL Shipment Doc's.xls	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	GEJMING DUO USD 20241002144902.docx.doc	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	PO-00536.xls	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Formularz instrukcji p#U0142atno#U015bci Millennium.xls	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cavps7.duckdns.org	MKWbWHd5Ni.rtf	Get hash	malicious	Remcos	Browse	84.32.44.139
	GEJMING DUO USD 20241002144902.docx.doc	Get hash	malicious	Remcos	Browse	84.32.44.139
	rSignedContract.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	54.39.12.74
	rContract-FP.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	54.39.12.74
geoplugin.net	na.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	na.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	na.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	MKWbWHd5Ni.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	DSpWOKW7zn.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	DHL Shipment Doc's.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	GEJMING DUO USD 20241002144902.docx.doc	Get hash	malicious	Remcos	Browse	178.237.33.50
	PO-00536.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	Formularz instrukcji p#U0142atno#U015bci Millennium.xls	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NTT-LT-ASLT	MKWbWHd5Ni.rtf	Get hash	malicious	Remcos	Browse	84.32.44.139
	Narudzba ACH0036173.vbe	Get hash	malicious	FormBook, GuLoader	Browse	84.32.84.32
	http://ipscanadvsf.com	Get hash	malicious	Unknown	Browse	84.32.84.33
	GEJMING DUO USD 20241002144902.docx.doc	Get hash	malicious	Remcos	Browse	84.32.44.139
	-pdf.bat.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	BDncqpUxZl.dll	Get hash	malicious	BumbleBee	Browse	84.32.84.32
	Midjourney.msi	Get hash	malicious	Unknown	Browse	84.32.84.32
	BDncqpUxZl.dll.dll	Get hash	malicious	BumbleBee	Browse	84.32.84.32
	Midjourney.msi	Get hash	malicious	Unknown	Browse	84.32.84.32
	DHL_ 46773482.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
ATOM86-ASATOM86NL	na.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	na.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	na.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	MKWbWHd5Ni.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	DSpWOKW7zn.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	DHL Shipment Doc's.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	GEJMING DUO USD 20241002144902.docx.doc	Get hash	malicious	Remcos	Browse	178.237.33.50
	PO-00536.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	Formularz instrukcji p#U0142atno#U015bci Millennium.xls	Get hash	malicious	Remcos	Browse	178.237.33.50

Process:	C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.013811273052389
Encrypted:	false
SSDEEP:	12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	18BC6D34FABB00C1E30D98E8DAEC814A
SHA1:	D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
SHA-256:	862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
SHA-512:	8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Temp\bhvD06.tmp

Download File

Process:	C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xe41c9139, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	14680064
Entropy (8bit):	0.9773332236397271
Encrypted:	false
SSDEEP:	6144:QgMnQEUUMBPPpBPJmNjfiEWC7WswQpWK/qZCCkxpu514dCVZ3L9yqXx4SU8GxJHL:hn/cj5tND5ApBK4K
MD5:	05D637853741BF148A7C412A60715BD1
SHA1:	F5ED9E134B9888C15ECDF6DEA9DE99EBFB6018F7
SHA-256:	138B03A3BCF55C30AB2EF2251541F0C7DEC8662B91AE778456B412E71D25FF4F
SHA-512:	5BF0CC4507B0097904A4BE00AF4A0D829C4B98537DD2C101B416BAB61304549D42AC26F90C5A102896810DA4CC8F3BA26241AD6C9B2861593B0A8D0BBB9C1BE1
Malicious:	false
Reputation:	low
Preview:	...9... ................./..(...{........................&....."6...{G......\|E.h.(.........................:.I..(...{..............................................................................................P...........eJ......n........................................................................................................... .......93...{a..............................................................................................................................................................................................(...{................................../.f(.....\|c..................a.{.....\|E..........................#......h.(.....................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xttxrevmuropxyhmme

Download File

Process:	C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	modified
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5997028894119785
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe
File size:	494'592 bytes
MD5:	e9057285aafb6978445c07029fdc5898
SHA1:	f928987a99bfde3cf80730d04e5c1436271d71d0
SHA256:	a21c68c24894a9bd385b58971c4a35d8c4b896a5d4da56ad47832114af033ad6
SHA512:	8603477d72a91833fb3d7c63086b5409ce4d39b3387008fcde96c9f94639726ff219bb6ce9fa9f2173da6b71e123b6549d1876b7145f3a0ff431ced7e779d90f
SSDEEP:	6144:bXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZ5AXIcNn5Gv:bX7tPMK8ctGe4Dzl4h2QnuPs/Z56cv
TLSH:	2DB49E01BAD1C072D57524300D36F776EAB8BD2028364A7BB3D61D5BFE31190B62A6B7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-H..~H..~H..~.f$~[..~.f&~...~.f'~V..~A.Q~I..~.Z.~J..~....R..~....r..~....j..~A.F~Q..~H..~u..~....,..~..*~I..~....I..~RichH..

File Icon


Icon Hash:	95694d05214c1b33

Static PE Info

General

Entrypoint:	0x4349ef
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x66728C58 [Wed Jun 19 07:44:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	8d5087ff5de35c3fbb9f212b47d63cad

Entrypoint Preview

Instruction
call 00007F03F12DAC3Ch
jmp 00007F03F12DA653h
push ebp
mov ebp, esp
sub esp, 00000324h
push ebx
push esi
push 00000017h
call 00007F03F12FCEB4h
test eax, eax
je 00007F03F12DA7C7h
mov ecx, dword ptr [ebp+08h]
int 29h
xor esi, esi
lea eax, dword ptr [ebp-00000324h]
push 000002CCh
push esi
push eax
mov dword ptr [00471D14h], esi
call 00007F03F12DCC27h
add esp, 0Ch
mov dword ptr [ebp-00000274h], eax
mov dword ptr [ebp-00000278h], ecx
mov dword ptr [ebp-0000027Ch], edx
mov dword ptr [ebp-00000280h], ebx
mov dword ptr [ebp-00000284h], esi
mov dword ptr [ebp-00000288h], edi
mov word ptr [ebp-0000025Ch], ss
mov word ptr [ebp-00000268h], cs
mov word ptr [ebp-0000028Ch], ds
mov word ptr [ebp-00000290h], es
mov word ptr [ebp-00000294h], fs
mov word ptr [ebp-00000298h], gs
pushfd
pop dword ptr [ebp-00000264h]
mov eax, dword ptr [ebp+04h]
mov dword ptr [ebp-0000026Ch], eax
lea eax, dword ptr [ebp+04h]
mov dword ptr [ebp-00000260h], eax
mov dword ptr [ebp-00000324h], 00010001h
mov eax, dword ptr [eax-04h]
push 00000050h
mov dword ptr [ebp-00000270h], eax
lea eax, dword ptr [ebp-58h]
push esi
push eax
call 00007F03F12DCB9Eh

Rich Headers

Programming Language:

[C++] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6eea8	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x79000	0x4b30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7e000	0x3bcc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6d340	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x6d3d4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x6d378	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x59000	0x4fc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x57175	0x57200	f959ed65f49a903603bc150bbb7292aa	False	0.571329694225251	data	6.62552167894442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x59000	0x179b6	0x17a00	cb0626634f7bf1c5779954b9e8e456d0	False	0.5005787037037037	Zebra Metafile graphic (comment = \210\002\007)	5.859466241544869	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x71000	0x5d44	0xe00	fa1a169b9414830def88848af87110b5	False	0.22154017857142858	data	3.00580031855032	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x77000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x78000	0x230	0x400	09e4699aa75951ab53e804fe4f9a3b6b	False	0.3271484375	data	2.349075166240886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x79000	0x4b30	0x4c00	8d2f4c37d83e3600ad4a1d89e8cf0272	False	0.28207236842105265	data	3.9871972382142014	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7e000	0x3bcc	0x3c00	0a6e61b09628beca43d4bf9604f65238	False	0.7639973958333334	data	6.718533933603825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x7918c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3421985815602837
RT_ICON	0x795f4	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.27704918032786885
RT_ICON	0x79f7c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.23686679174484052
RT_ICON	0x7b024	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.22977178423236513
RT_RCDATA	0x7d5cc	0x524	data			1.0083586626139818
RT_GROUP_ICON	0x7daf0	0x3e	data	English	United States	0.8064516129032258

Imports

DLL	Import
KERNEL32.dll	FindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, TlsAlloc, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
USER32.dll	GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, GetMessageA, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, DispatchMessageA, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, GetIconInfo, GetSystemMetrics, AppendMenuA, RegisterClassExA, GetCursorPos, SetForegroundWindow, DrawIcon, SystemParametersInfoW
GDI32.dll	BitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
SHELL32.dll	ShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
ole32.dll	CoInitializeEx, CoUninitialize, CoGetObject
SHLWAPI.dll	PathFileExistsW, PathFileExistsA, StrToIntA
WINMM.dll	waveInUnprepareHeader, waveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader
WS2_32.dll	gethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
urlmon.dll	URLOpenBlockingStreamW, URLDownloadToFileW
gdiplus.dll	GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
WININET.dll	InternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-06T22:00:16.940137+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49701	84.32.44.139	1991	TCP
2024-10-06T22:00:18.221401+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49702	84.32.44.139	1991	TCP
2024-10-06T22:00:18.249317+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49703	84.32.44.139	1991	TCP
2024-10-06T22:00:18.783923+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.7	49704	84.32.44.139	1991	TCP
2024-10-06T22:00:20.538733+0200	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.7	49705	178.237.33.50	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 22:00:16.251419067 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:16.256293058 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:16.256366968 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:16.261158943 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:16.266016960 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:16.889314890 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:16.940136909 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:17.024967909 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:17.028966904 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:17.033745050 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:17.033792973 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:17.038654089 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:17.307713032 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:17.348953009 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:17.354073048 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:17.440651894 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:17.487019062 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:17.533200026 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:17.565056086 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:17.570525885 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:17.570600986 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:17.580858946 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:17.591655016 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:17.596545935 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:17.609384060 CEST	49703	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:17.614327908 CEST	1991	49703	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:17.614463091 CEST	49703	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:17.641444921 CEST	49703	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:17.646406889 CEST	1991	49703	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.137986898 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.142795086 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.143090963 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.146537066 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.151550055 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.168909073 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.193833113 CEST	1991	49703	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.221400976 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.249316931 CEST	49703	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.306760073 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.323733091 CEST	1991	49703	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.346393108 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.377758980 CEST	49703	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.438222885 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.443243980 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.473189116 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.477996111 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.478058100 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.478421926 CEST	49703	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.482848883 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.482963085 CEST	49703	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.483232975 CEST	1991	49703	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.488281012 CEST	1991	49703	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.491251945 CEST	49703	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.709861040 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.709887028 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.709897995 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.709948063 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.710567951 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.710582972 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.710606098 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.711146116 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.711157084 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.711199999 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.711949110 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.711960077 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.712008953 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.712605000 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.712615967 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.712658882 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.713299036 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.713340998 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.714813948 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.739139080 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.768296003 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.783922911 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.800259113 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.800453901 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.800463915 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.800499916 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.812216997 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.812267065 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.812442064 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.812457085 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.812499046 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.813250065 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.813262939 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.813312054 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.814106941 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.814125061 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.814165115 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.814980030 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.814992905 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.815033913 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.815855980 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.815870047 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.815917015 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.816788912 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.816802025 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.816850901 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.817734003 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.817747116 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.817795038 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.818625927 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.818639040 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.818650007 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.818682909 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.819487095 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.819529057 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.836245060 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.836596966 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.836641073 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.836767912 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.868985891 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.873804092 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.877640963 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.878658056 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.878705978 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.880996943 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.883608103 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.885934114 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.885982037 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.885993004 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.886004925 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.886022091 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.886044979 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.886069059 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.886101007 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.886111975 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.886133909 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.886142015 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.886143923 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.886179924 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.886195898 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.886221886 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.886243105 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.886290073 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.890774012 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.890871048 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.890914917 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.890959024 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.891328096 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.891376972 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.891657114 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.891668081 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.891678095 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.891710043 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.891736031 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.892138004 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.892147064 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.892157078 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.892167091 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.892177105 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.892182112 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.892187119 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.892199039 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.892215014 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.892225981 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.892225027 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.892245054 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.892260075 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.892276049 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.892276049 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.892302036 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.892313957 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.892324924 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.892354965 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.893183947 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.893196106 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.893204927 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.893219948 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.893285036 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.893573046 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.893585920 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.893608093 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.894143105 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.894154072 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.894167900 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.894177914 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.894216061 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.894962072 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.894970894 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.894983053 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.894993067 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.895026922 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.895860910 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.895874023 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.895885944 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.895900011 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.895930052 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.896785021 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.896799088 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.896811008 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.896821976 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.896835089 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.896876097 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.897695065 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.897708893 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.897721052 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.897747993 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.898592949 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.898605108 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.898617029 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.898638010 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.898668051 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.899507046 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.899519920 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.899529934 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.899543047 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.899561882 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.899593115 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.900387049 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900399923 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900409937 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900418997 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900428057 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900437117 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900445938 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900454998 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.900455952 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900470018 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900480986 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900490046 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900499105 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900502920 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.900506973 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900520086 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900521994 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.900521994 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.900530100 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900538921 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900542974 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900546074 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.900552034 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900563002 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900572062 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900574923 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.900582075 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900595903 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.900597095 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900608063 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900615931 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900625944 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900635004 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900974989 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.900985003 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.901011944 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.901340008 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.901351929 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.901392937 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.901840925 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.901880980 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.904253006 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.904263020 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.904278994 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.904289007 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905497074 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905505896 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905555010 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905564070 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905627012 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905637026 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905675888 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905736923 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905792952 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905874014 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905883074 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905890942 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905940056 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905949116 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905957937 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905967951 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905987024 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.905996084 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906044006 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906054020 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906061888 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906066895 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906085968 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906105042 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906276941 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906286955 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906342983 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906352043 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906416893 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906425953 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906495094 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906505108 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906563997 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906574011 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906680107 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906689882 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906708002 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906717062 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906760931 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906774044 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906826019 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906836033 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.906862974 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.926878929 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.926925898 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.926937103 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.926965952 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.927129030 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.927141905 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.927176952 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.927294016 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.927304983 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.927340031 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.927483082 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.927494049 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.927525997 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.950444937 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.955660105 CEST	1991	49704	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.955718994 CEST	49704	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.971430063 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.981408119 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.981430054 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.981441021 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.981465101 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.981571913 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.981585979 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.981620073 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.981926918 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.981939077 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.981950998 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.981964111 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.981971025 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.981976986 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.981996059 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.982008934 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.982248068 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.982338905 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.982381105 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.982394934 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.982407093 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.982450962 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.982580900 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.982727051 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.982739925 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.982769012 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.982824087 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.982866049 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.983033895 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.983108997 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.983120918 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.983144999 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.983263016 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.983274937 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.983319998 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.983479977 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.983491898 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.983504057 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.983515024 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.983527899 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.983623028 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.983894110 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.983937979 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.983975887 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.983989954 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.984031916 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.984193087 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.984205008 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.984216928 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.984251976 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.984580994 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.984592915 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.984606028 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.984625101 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.984653950 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.984874010 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.984952927 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.984965086 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.984987974 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.985168934 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.985204935 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.985217094 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.985234976 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.985265970 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.985446930 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.985459089 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.985471010 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.985502005 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.985831022 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.985898018 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.985910892 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.985923052 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.986022949 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.986098051 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.986109972 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.986133099 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.986145973 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.986154079 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.986190081 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.986557007 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.986569881 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.986608982 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.986854076 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.986908913 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.986920118 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.986958027 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.987133980 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.987147093 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.987159967 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.987169981 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.987180948 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.987207890 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.990881920 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.990931034 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.990957022 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.990968943 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.991008997 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.991077900 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.991159916 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.991219044 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.991224051 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:18.991230011 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.991242886 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:18.991286993 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.000320911 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.017756939 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.017771006 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.017802954 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.017813921 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.017853975 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.017880917 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.017937899 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.017980099 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.018038988 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.018050909 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.018088102 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.018163919 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.018186092 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.018228054 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.018385887 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.018398046 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.018444061 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.018548965 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.018562078 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.018601894 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.018784046 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.018795013 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.018809080 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.018821001 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.018832922 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.018841982 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.018871069 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.019141912 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.019153118 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.019165039 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.019188881 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.019208908 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.047022104 CEST	49705	80	192.168.2.7	178.237.33.50
Oct 6, 2024 22:00:19.051927090 CEST	80	49705	178.237.33.50	192.168.2.7
Oct 6, 2024 22:00:19.051990986 CEST	49705	80	192.168.2.7	178.237.33.50
Oct 6, 2024 22:00:19.052169085 CEST	49705	80	192.168.2.7	178.237.33.50
Oct 6, 2024 22:00:19.056963921 CEST	80	49705	178.237.33.50	192.168.2.7
Oct 6, 2024 22:00:19.072002888 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.072065115 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.072074890 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.072117090 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.072220087 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.072232008 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.072242975 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.072264910 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.072304010 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.072460890 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.072554111 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.072597980 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.072680950 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.072691917 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.072701931 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.072711945 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.072750092 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.072784901 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.073014975 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.073132992 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.073143959 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.073154926 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.073175907 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.073189974 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.073487997 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.073498964 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.073510885 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.073523045 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.073534966 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.073540926 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.073563099 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.073904037 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.073915958 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.073926926 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.073940992 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.073949099 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.073966980 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.074198961 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.074213028 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.074237108 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.074296951 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.074309111 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.074318886 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.074331045 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.074341059 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.074345112 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.074354887 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.074356079 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.074395895 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.075197935 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.075211048 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.075221062 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.075232983 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.075248957 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.075258970 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.075263023 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.075275898 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.075289011 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.075299025 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.075300932 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.075314999 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.075323105 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.075340986 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.076076984 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.076091051 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.076101065 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.076113939 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.076119900 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.076124907 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.076132059 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.076141119 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.076152086 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.076164007 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.076172113 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.076178074 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.076203108 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.076239109 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.076952934 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.076992035 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.077003002 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.077014923 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.077027082 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.077032089 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.077039957 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.077054024 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.077066898 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.077073097 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.077084064 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.077094078 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.077096939 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.077110052 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.077110052 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.077125072 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.077142000 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.077168941 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.077756882 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.077769995 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.077816963 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.077883959 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.077896118 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.077939987 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.078027964 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.078039885 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.078051090 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.078078985 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.078246117 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.078257084 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.078291893 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.078356981 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.078368902 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.078378916 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.078392982 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.078407049 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.078406096 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.078421116 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.078428984 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.078433990 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.078445911 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.078475952 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.078912973 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.078922987 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.078933001 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.078963041 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.081450939 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.081500053 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.081509113 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.081518888 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.081556082 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.081585884 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.081681967 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.081691980 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.081717014 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.081825972 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.081836939 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.081861019 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.108303070 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.108354092 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.108360052 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.108371973 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.108422995 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.108458042 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.108470917 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.108510971 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.108603954 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.108684063 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.108695030 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.108742952 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.108824968 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.108866930 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.108876944 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.108889103 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.108901024 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.108936071 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.109196901 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.109209061 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.109226942 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.109236002 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.109266996 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.109467983 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.109481096 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.109493017 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.109503984 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.109513998 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.109517097 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.109538078 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.109781981 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.109795094 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.109816074 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.158899069 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.162802935 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.162872076 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.162916899 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.162919998 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.162991047 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.163003922 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.163028002 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.163146973 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.163158894 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.163171053 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.163183928 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.163191080 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.163211107 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.163496971 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.163508892 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.163520098 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.163533926 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.163537979 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.163562059 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.163778067 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.163786888 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.163815975 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.164007902 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.164020061 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.164031029 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.164042950 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.164048910 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.164057016 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.164069891 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.164073944 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.164083004 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.164107084 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.164145947 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.164453983 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.164465904 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.164482117 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.164499998 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.164510965 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.164515018 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.164522886 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.164534092 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.164535046 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.164547920 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.164561033 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.164572001 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.164583921 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.165194035 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165205002 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165215015 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165226936 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165237904 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165240049 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.165251017 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165258884 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.165262938 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165281057 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165291071 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165292978 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.165304899 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.165340900 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.165781975 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165793896 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165805101 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165816069 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165827990 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165838957 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165839911 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.165851116 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.165853024 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165864944 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165875912 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165878057 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.165889978 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.165899992 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.165939093 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.166475058 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.166486979 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.166496992 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.166508913 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.166522026 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.166522026 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.166533947 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.166546106 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.166546106 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.166557074 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.166568995 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.166579962 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.166585922 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.166591883 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.166598082 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.166604042 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.166615009 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.166624069 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.166627884 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.166640997 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.166650057 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.166677952 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.167435884 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.167447090 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.167457104 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.167468071 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.167479038 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.167481899 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.167490959 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.167491913 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.167504072 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.167515993 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.167516947 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.167530060 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.167541027 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.167541027 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.167552948 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.167566061 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.167577028 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.167577982 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.167588949 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.167610884 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.167649984 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.168231010 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.168242931 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.168253899 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.168266058 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.168272972 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.168277979 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.168299913 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.168322086 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.172259092 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.172308922 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.172321081 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.172360897 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.172435045 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.172486067 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.172502041 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.172513008 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.172523975 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.172533035 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.172544956 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.172569990 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.199089050 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.199110985 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.199122906 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.199152946 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.199256897 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.199269056 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.199314117 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.199398041 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.199409962 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.199446917 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.199584961 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.199596882 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.199634075 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.199743032 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.199754000 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.199767113 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.199775934 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.199836969 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.200026989 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.200040102 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.200051069 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.200062037 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.200072050 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.200077057 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.200086117 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.200095892 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.200113058 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.200126886 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.200413942 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.200426102 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.200436115 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.200447083 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.200453997 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.200476885 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.253397942 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.253444910 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.253457069 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.253506899 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.253565073 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.253578901 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.253592968 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.253618002 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.253634930 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.253834009 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.253846884 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.253858089 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.253871918 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.253887892 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.253911972 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.254117012 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.254277945 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.254291058 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.254302979 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.254314899 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.254327059 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.254337072 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.254339933 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.254355907 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.254362106 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.254383087 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.254407883 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.254751921 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.254765034 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.254776955 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.254801035 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.255007982 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.255021095 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.255043030 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.255048990 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.255055904 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.255069971 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.255081892 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.255086899 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.255095959 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.255108118 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.255117893 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.255119085 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.255131960 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.255132914 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.255146027 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:19.255175114 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:19.255181074 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:20.538325071 CEST	80	49705	178.237.33.50	192.168.2.7
Oct 6, 2024 22:00:20.538728952 CEST	80	49705	178.237.33.50	192.168.2.7
Oct 6, 2024 22:00:20.538733006 CEST	49705	80	192.168.2.7	178.237.33.50
Oct 6, 2024 22:00:20.538815975 CEST	49705	80	192.168.2.7	178.237.33.50
Oct 6, 2024 22:00:20.538933039 CEST	80	49705	178.237.33.50	192.168.2.7
Oct 6, 2024 22:00:20.539251089 CEST	80	49705	178.237.33.50	192.168.2.7
Oct 6, 2024 22:00:20.539278984 CEST	49705	80	192.168.2.7	178.237.33.50
Oct 6, 2024 22:00:20.539470911 CEST	49705	80	192.168.2.7	178.237.33.50
Oct 6, 2024 22:00:20.552807093 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:20.557616949 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:20.678286076 CEST	80	49705	178.237.33.50	192.168.2.7
Oct 6, 2024 22:00:20.678370953 CEST	49705	80	192.168.2.7	178.237.33.50
Oct 6, 2024 22:00:21.745574951 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:21.750596046 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.750621080 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.750639915 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.750653982 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:21.750658035 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.750693083 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:21.750735044 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.750745058 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.750853062 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.750861883 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.750881910 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.750891924 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.755441904 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.755667925 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.755678892 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.755743980 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.755754948 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.755851030 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.755948067 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.977454901 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:21.978496075 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:22.074003935 CEST	49702	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:22.078836918 CEST	1991	49702	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:36.032808065 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:00:36.034559965 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:00:36.039297104 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:01:05.936491013 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:01:05.938148975 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:01:05.943052053 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:01:35.981822014 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:01:35.983398914 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:01:35.988404036 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:02:06.004899025 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:02:06.008888006 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:02:06.013715982 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:02:09.035212994 CEST	49705	80	192.168.2.7	178.237.33.50
Oct 6, 2024 22:02:09.503732920 CEST	49705	80	192.168.2.7	178.237.33.50
Oct 6, 2024 22:02:10.113467932 CEST	49705	80	192.168.2.7	178.237.33.50
Oct 6, 2024 22:02:11.316253901 CEST	49705	80	192.168.2.7	178.237.33.50
Oct 6, 2024 22:02:13.816267967 CEST	49705	80	192.168.2.7	178.237.33.50
Oct 6, 2024 22:02:18.628828049 CEST	49705	80	192.168.2.7	178.237.33.50
Oct 6, 2024 22:02:28.425831079 CEST	49705	80	192.168.2.7	178.237.33.50
Oct 6, 2024 22:02:36.029795885 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:02:36.034732103 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:02:36.039630890 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:03:06.052349091 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:03:06.053577900 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:03:06.058377981 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:03:36.086558104 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:03:36.088485003 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:03:36.093368053 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:04:06.115277052 CEST	1991	49701	84.32.44.139	192.168.2.7
Oct 6, 2024 22:04:06.117257118 CEST	49701	1991	192.168.2.7	84.32.44.139
Oct 6, 2024 22:04:06.122174025 CEST	1991	49701	84.32.44.139	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 22:00:16.130901098 CEST	58264	53	192.168.2.7	1.1.1.1
Oct 6, 2024 22:00:16.247842073 CEST	53	58264	1.1.1.1	192.168.2.7
Oct 6, 2024 22:00:19.036437035 CEST	49169	53	192.168.2.7	1.1.1.1
Oct 6, 2024 22:00:19.043441057 CEST	53	49169	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 6, 2024 22:00:16.130901098 CEST	192.168.2.7	1.1.1.1	0xef95	Standard query (0)	cavps7.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:00:19.036437035 CEST	192.168.2.7	1.1.1.1	0x6be4	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 6, 2024 22:00:16.247842073 CEST	1.1.1.1	192.168.2.7	0xef95	No error (0)	cavps7.duckdns.org		84.32.44.139	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:00:19.043441057 CEST	1.1.1.1	192.168.2.7	0x6be4	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49705	178.237.33.50	80	7172	C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Oct 6, 2024 22:00:19.052169085 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Oct 6, 2024 22:00:20.538325071 CEST	1170	IN	HTTP/1.1 200 OK date: Sun, 06 Oct 2024 20:00:19 GMT server: Apache content-length: 962 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}
Oct 6, 2024 22:00:20.538728952 CEST	1170	IN	HTTP/1.1 200 OK date: Sun, 06 Oct 2024 20:00:19 GMT server: Apache content-length: 962 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}
Oct 6, 2024 22:00:20.538933039 CEST	1170	IN	HTTP/1.1 200 OK date: Sun, 06 Oct 2024 20:00:19 GMT server: Apache content-length: 962 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}
Oct 6, 2024 22:00:20.539251089 CEST	1170	IN	HTTP/1.1 200 OK date: Sun, 06 Oct 2024 20:00:19 GMT server: Apache content-length: 962 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Analysis Process: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exePID: 7172, Parent PID: 4056

General

Target ID:	6
Start time:	16:00:15
Start date:	06/10/2024
Path:	C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe"
Imagebase:	0x400000
File size:	494'592 bytes
MD5 hash:	E9057285AAFB6978445C07029FDC5898
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000000.1273413093.0000000000459000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000000.1273413093.0000000000459000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000000.1273413093.0000000000459000.00000002.00000001.01000000.00000004.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.3736612366.0000000000459000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.3736612366.0000000000459000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.3736612366.0000000000459000.00000002.00000001.01000000.00000004.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.3736983061.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Chronological Activities

Analysis Process: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exePID: 7432, Parent PID: 7172

General

Target ID:	9
Start time:	16:00:18
Start date:	06/10/2024
Path:	C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\xttxrevmuropxyhmme"
Imagebase:	0x400000
File size:	494'592 bytes
MD5 hash:	E9057285AAFB6978445C07029FDC5898
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000000.1305912992.0000000000459000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000000.1305912992.0000000000459000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000000.1305912992.0000000000459000.00000002.00000001.01000000.00000004.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Chronological Activities

Analysis Process: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exePID: 7440, Parent PID: 7172

General

Target ID:	10
Start time:	16:00:18
Start date:	06/10/2024
Path:	C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\hnyqswgoizgciedqvprkl"
Imagebase:	0x400000
File size:	494'592 bytes
MD5 hash:	E9057285AAFB6978445C07029FDC5898
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000000.1306197099.0000000000459000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000000.1306197099.0000000000459000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000000.1306197099.0000000000459000.00000002.00000001.01000000.00000004.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Chronological Activities

Analysis Process: 1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exePID: 7456, Parent PID: 7172

General

Target ID:	11
Start time:	16:00:18
Start date:	06/10/2024
Path:	C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\jpebsprhwhyhkkrunalmokuw"
Imagebase:	0x400000
File size:	494'592 bytes
MD5 hash:	E9057285AAFB6978445C07029FDC5898
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000000.1306494613.0000000000459000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000000.1306494613.0000000000459000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000000.1306494613.0000000000459000.00000002.00000001.01000000.00000004.sdmp, Author: unknown
Reputation:	low
Has exited:	true