Windows Analysis Report
fu56fbrtn8.exe

Overview

General Information

Sample name:	fu56fbrtn8.exe renamed because original name is a hash value
Original sample name:	da7c2473b5c455f25f420827af596286.exe
Analysis ID:	1430790
MD5:	da7c2473b5c455f25f420827af596286
SHA1:	101b5f991a26fc9213c4445bd9bfdb87a6a6c5cb
SHA256:	e1cecfcc4eed2f4b74af7d971dcf24555534db164ddb0b7cd1e821b2f0402703
Tags:	32exetrojan
Infos:

Detection

Remcos, DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Snort IDS alert for network traffic

Yara detected DBatLoader

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates autostart registry keys with suspicious names

Creates multiple autostart registry keys

Delayed program exit found

Drops PE files with a suspicious file extension

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

PE file contains section with special chars

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Uses dynamic DNS services

Yara detected WebBrowserPassView password recovery tool

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\Public\Libraries\netutils.dll

Avira: detection malicious, Label: TR/AVI.Agent.rqsyc

Found malware configuration

Source: 00000008.00000002.1531336451.0000000000921000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "duckdns.org:1144:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-VLI916", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Remcos\remcos.exe	ReversingLabs: Detection: 71%
Source: C:\ProgramData\Remcos\remcos.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	ReversingLabs: Detection: 71%
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\Public\Libraries\netutils.dll	ReversingLabs: Detection: 82%
Source: C:\Users\Public\Libraries\netutils.dll	Virustotal: Detection: 67%	Perma Link

Multi AV Scanner detection for submitted file

Source: fu56fbrtn8.exe	ReversingLabs: Detection: 71%
Source: fu56fbrtn8.exe	Virustotal: Detection: 73%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1531336451.0000000000921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1787599140.0000000000608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1645700884.0000000000856000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1739100863.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1739100863.00000000009E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cmzcxhwn.PIF PID: 2700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 4692, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\fgdghrd\logs.dat, type: DROPPED

Machine Learning detection for dropped file

Source: C:\ProgramData\Remcos\remcos.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: fu56fbrtn8.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B3837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		0_2_156B3837
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC3837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		8_2_14AC3837

Source: fu56fbrtn8.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_156874FD _wcslen,CoGetObject,

0_2_156874FD

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Unpacked PE file: 0.2.fu56fbrtn8.exe.15680000.10.unpack

Uses 32bit PE files

Source: fu56fbrtn8.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49725 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr
Source:	Binary string: easinvoker.pdbH source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1417481054.00000000150FE000.00000004.00000020.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_15689665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_15689665
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_1568C34D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_15689253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_15689253
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1569C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_1569C291
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_1568BD37
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156CE879 FindFirstFileExA,	0_2_156CE879
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568783C FindFirstFileW,FindNextFileW,	0_2_1568783C
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	0_2_1568880C
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_1568BB30
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_15699AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_15699AF5
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DE58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_02DE58CC
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A510F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_33A510F1
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A56580 FindFirstFileExA,	6_2_33A56580
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14ADE879 FindFirstFileExA,	8_2_14ADE879
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A99665 FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_14A99665
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9783C FindFirstFileW,FindNextFileW,	8_2_14A9783C
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9880C FindFirstFileW,FindNextFileW,FindClose,	8_2_14A9880C
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AAC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	8_2_14AAC291
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AA9AF5 FindFirstFileW,	8_2_14AA9AF5
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_14A9BB30
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	8_2_14A9C34D

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_15687C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_15687C97

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.8:49711 -> 103.186.117.142:1144
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 103.186.117.142:1144 -> 192.168.2.8:49711

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: oceansss.duckdns.org

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_02DFC8AC InternetCheckConnectionA,

0_2_02DFC8AC

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49711 -> 103.186.117.142:1144

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.107.139.11 13.107.139.11
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1569662D Sleep,URLDownloadToFileW,

0_2_1569662D

Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: remcos.exe, 00000009.00000002.1583028383.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.1631551774.0000000002328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: remcos.exe, 00000009.00000002.1583028383.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.1631551774.0000000002328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv2770.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: remcos.exe, 00000006.00000003.1490133116.0000000033690000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: fu56fbrtn8.exe, remcos.exe, 00000006.00000003.1523378434.000000003369A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.1490133116.0000000033690000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3845884495.000000003369A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2205008076.0000000033696000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.000000000071A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmp, bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://geoplugin.net/json.gp
Source: fu56fbrtn8.exe, 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1549703628.0000000014AFB000.00000040.00001000.00020000.00000000.sdmp, remcos.exe, 00000010.00000002.1659495150.000000001514B000.00000040.00001000.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.1752157140.000000001515B000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: remcos.exe, 00000006.00000003.1523378434.000000003369A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.1490133116.0000000033690000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3845884495.000000003369A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2205008076.0000000033696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpL
Source: remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpL9
Source: remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpLL
Source: remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gphB
Source: remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpoft
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0Q
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://ocspx.digicert.com0E
Source: bhv2770.tmp.9.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: remcos.exe, 0000000B.00000003.1533269381.000000000056D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000B.00000003.1533356581.000000000056D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, remcos.exe, 0000000F.00000003.1587508124.000000000058D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000F.00000003.1587761569.000000000058D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: remcos.exe, 0000000B.00000003.1533269381.000000000056D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000B.00000003.1533356581.000000000056D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000F.00000003.1587508124.000000000058D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000F.00000003.1587761569.000000000058D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comata
Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: remcos.exe, 00000009.00000002.1578803145.0000000000193000.00000004.00000010.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.1627422473.0000000000194000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?5b3bec92835bc024c52f96dd
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?f0f7e1407b69bd65640be717
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f343d3a8731ffea490b8b5c3
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f92d19bcbba8eb1999dabbc8
Source: bhv2770.tmp.9.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=LO
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv2770.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhv2770.tmp.9.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=MIRA-WW-PH7&FrontEn
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.0000000000823000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3819338341.0000000000772000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.1739100863.000000000097D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/
Source: remcos.exe, 00000010.00000003.1645700884.000000000088D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/S
Source: remcos.exe, 00000013.00000003.1914864143.0000000000810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/l
Source: bhv2770.tmp.9.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv2770.tmp.9.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv2770.tmp.9.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-08-30-16/PreSignInSettingsConfig.json
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=13164f2a9ee6956f1439
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=b92552
Source: remcos.exe, 00000013.00000003.1914864143.00000000007D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/B
Source: remcos.exe, 00000011.00000002.1739100863.0000000000926000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/L
Source: remcos.exe, 00000013.00000002.1928082246.00000000140F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=FDB0512DE793B32E%21192&authkey=
Source: remcos.exe, 00000010.00000003.1645700884.0000000000826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/gR
Source: remcos.exe, 00000010.00000003.1645700884.000000000088D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000013.00000003.1914864143.000000000083A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/
Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.0000000000823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/)hVS
Source: remcos.exe, 00000011.00000002.1739100863.00000000009BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/D
Source: remcos.exe, 00000013.00000003.1914864143.000000000083A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000013.00000003.1914864143.000000000081F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/y4mBqG2XWpzBzSvN2kPaNUx-09fMnbsE2AbR6Fc3TpLJhs6tiT5fqXCxcWK4x989O9Y
Source: remcos.exe, 00000011.00000002.1739100863.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/y4mMFFkYYwN0t0OSAIBWRwi6fQ3Q4XNZ5ZTI7CjrOq6bQT78Okek-WvtG9h-If59Adw
Source: remcos.exe, 00000013.00000002.1918208186.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/y4mS7-09cDgh9l-spZEVYc4X4sz7LO4DIkbEuCnO10bm0osuWSl7tRLcAVFGx7-sRmq
Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.0000000000823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/y4mcrmPTZ2L_86niwd7Bu_ffro-TLyMBDfLgpQuXM7S3NIuO87j54n8Dfi6-LFoUs3a
Source: remcos.exe, 00000010.00000003.1645700884.000000000088D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/y4msMUOKNxzSXc79LnjXbgaTWjPZ-zo_lPFnd-m9JJcIecYw2VkvQ1RrP2qqhLCejbl
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/y4mzx7lSeeAwusg9Zi636Xfs7GnQpJEFwP-ghRD9wO-49fLPVE-Xv-39OCRs6SS43X7
Source: remcos.exe, 00000013.00000003.1914864143.000000000081F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com:443/y4mBqG2XWpzBzSvN2kPaNUx-09fMnbsE2AbR6Fc3TpLJhs6tiT5fqXCxcWK4x98
Source: remcos.exe, 00000011.00000002.1739100863.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com:443/y4mMFFkYYwN0t0OSAIBWRwi6fQ3Q4XNZ5ZTI7CjrOq6bQT78Okek-WvtG9h-If5
Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.0000000000823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com:443/y4mcrmPTZ2L_86niwd7Bu_ffro-TLyMBDfLgpQuXM7S3NIuO87j54n8Dfi6-LFo
Source: remcos.exe, 00000010.00000002.1647920314.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000010.00000003.1645700884.000000000088D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com:443/y4msMUOKNxzSXc79LnjXbgaTWjPZ-zo_lPFnd-m9JJcIecYw2VkvQ1RrP2qqhLC
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com:443/y4mzx7lSeeAwusg9Zi636Xfs7GnQpJEFwP-ghRD9wO-49fLPVE-Xv-39OCRs6SS
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?407dab52f7bc43350b5cde12afe93269
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?469316a07faf13c962eeef1395652e59
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49725 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1568A2B8 SetWindowsHookExA 0000000D,1568A2A4,00000000

0_2_1568A2B8

Installs a global keyboard hook

Source: C:\ProgramData\Remcos\remcos.exe

Windows user hook set: 0 keyboard low level C:\ProgramData\Remcos\remcos.exe

Jump to behavior

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1568B70E OpenClipboard,GetClipboardData,CloseClipboard,

0_2_1568B70E

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_156968C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_156968C1

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1568B70E OpenClipboard,GetClipboardData,CloseClipboard,

0_2_1568B70E

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1568A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

0_2_1568A3E0

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1531336451.0000000000921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1787599140.0000000000608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1645700884.0000000000856000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1739100863.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1739100863.00000000009E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cmzcxhwn.PIF PID: 2700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 4692, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\fgdghrd\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1569C9E2 SystemParametersInfoW,		0_2_1569C9E2
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AAC9E2 SystemParametersInfoW,		8_2_14AAC9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.1752157140.000000001515B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.1549703628.0000000014AFB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000010.00000002.1659495150.000000001514B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\Public\Libraries\CmzcxhwnO.bat, type: DROPPED	Matched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen

PE file contains section with special chars

Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .

Abnormal high CPU Usage

Source: C:\ProgramData\Remcos\remcos.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156932D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	0_2_156932D2
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1569BB35 OpenProcess,NtResumeProcess,CloseHandle,	0_2_1569BB35
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1569BB09 OpenProcess,NtSuspendProcess,CloseHandle,	0_2_1569BB09
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DFC3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_02DFC3F8
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DFC368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02DFC368
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DFC4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_02DFC4DC
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DF7968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_02DF7968
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DFC3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_02DFC3F6
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DF7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	0_2_02DF7AC0
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DF7966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_02DF7966
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DF7F48 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,	0_2_02DF7F48
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DF7F46 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,	0_2_02DF7F46
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_02E0C4DC NtOpenFile,NtReadFile,	6_2_02E0C4DC
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_02E07968 NtAllocateVirtualMemory,	6_2_02E07968
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_02E07966 NtAllocateVirtualMemory,	6_2_02E07966
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_02D7C4DC NtOpenFile,NtReadFile,	8_2_02D7C4DC
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_02D77968 NtAllocateVirtualMemory,	8_2_02D77968
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_02D77966 NtAllocateVirtualMemory,	8_2_02D77966
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AAD58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	8_2_14AAD58F
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AA32D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,	8_2_14AA32D2
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AABB35 OpenProcess,NtResumeProcess,CloseHandle,	8_2_14AABB35
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AABB09 OpenProcess,NtSuspendProcess,CloseHandle,	8_2_14AABB09

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_02DFCA6C CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,

0_2_02DFCA6C

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156967B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,		0_2_156967B4
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AA67B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,		8_2_14AA67B9

Detected potential crypto function

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE265E	0_3_02BE265E
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE0719	0_3_02BE0719
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE1362	0_3_02BE1362
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE134B	0_3_02BE134B
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE10BD	0_3_02BE10BD
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE14BD	0_3_02BE14BD
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE04A9	0_3_02BE04A9
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE049D	0_3_02BE049D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE0485	0_3_02BE0485
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE20F2	0_3_02BE20F2
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE10D5	0_3_02BE10D5
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE10C9	0_3_02BE10C9
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE14C9	0_3_02BE14C9
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE102E	0_3_02BE102E
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE0425	0_3_02BE0425
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE2018	0_3_02BE2018
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE0419	0_3_02BE0419
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE040D	0_3_02BE040D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE0000	0_3_02BE0000
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE1045	0_3_02BE1045
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE09BC	0_3_02BE09BC
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE09B0	0_3_02BE09B0
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE09A4	0_3_02BE09A4
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE11EA	0_3_02BE11EA
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE01DE	0_3_02BE01DE
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE153D	0_3_02BE153D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE0D38	0_3_02BE0D38
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE1531	0_3_02BE1531
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE2953	0_3_02BE2953
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE1549	0_3_02BE1549
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156BE558	0_2_156BE558
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B74E6	0_2_156B74E6
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B8770	0_2_156B8770
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B8168	0_2_156B8168
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156D4159	0_2_156D4159
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156C61F0	0_2_156C61F0
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1569F0FA	0_2_1569F0FA
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156BE0CC	0_2_156BE0CC
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156D332B	0_2_156D332B
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156A739D	0_2_156A739D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156BE2FB	0_2_156BE2FB
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B7D33	0_2_156B7D33
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B6FEA	0_2_156B6FEA
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_15693FCA	0_2_15693FCA
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B5E5E	0_2_156B5E5E
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156A6E0E	0_2_156A6E0E
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156BDE9D	0_2_156BDE9D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B3946	0_2_156B3946
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156CD9C9	0_2_156CD9C9
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B78FE	0_2_156B78FE
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1569DB62	0_2_1569DB62
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156A7BAF	0_2_156A7BAF
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156A7A46	0_2_156A7A46
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DE20C4	0_2_02DE20C4
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A67194	6_2_33A67194
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A5B5C1	6_2_33A5B5C1
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_02DF20C4	6_2_02DF20C4
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_02D620C4	8_2_02D620C4
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC74E6	8_2_14AC74E6
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14ACE558	8_2_14ACE558
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14ACDE9D	8_2_14ACDE9D
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC5E5E	8_2_14AC5E5E
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC6FEA	8_2_14AC6FEA
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC78FE	8_2_14AC78FE
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14ACE0CC	8_2_14ACE0CC
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AD61F0	8_2_14AD61F0
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC3946	8_2_14AC3946
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14ACE2FB	8_2_14ACE2FB
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AE332B	8_2_14AE332B
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AADB62	8_2_14AADB62

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\Remcos\remcos.exe E1CECFCC4EED2F4B74AF7D971DCF24555534DB164DDB0B7CD1E821B2F0402703
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\Cmzcxhwn.PIF E1CECFCC4EED2F4B74AF7D971DCF24555534DB164DDB0B7CD1E821B2F0402703
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96

Found potential string decryption / allocating functions

Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: String function: 14AC4E10 appears 54 times
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: String function: 02D66658 appears 32 times
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: String function: 02D64698 appears 156 times
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: String function: 02D64824 appears 628 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 02DE44A0 appears 67 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 156B4770 appears 41 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 156B4E10 appears 54 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 15681E65 appears 35 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 02DE4698 appears 247 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 02DE6658 appears 32 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 02DE4824 appears 882 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 15682093 appears 50 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 02DF7BE8 appears 45 times
Source: C:\ProgramData\Remcos\remcos.exe	Code function: String function: 02DF4698 appears 156 times
Source: C:\ProgramData\Remcos\remcos.exe	Code function: String function: 02DF6658 appears 32 times
Source: C:\ProgramData\Remcos\remcos.exe	Code function: String function: 02DF4824 appears 628 times

PE file contains more sections than normal

Source: netutils.dll.0.dr

Static PE information: Number of sections : 19 > 10

Sample file is different than original file name gathered from version info

Source: fu56fbrtn8.exe	Binary or memory string: OriginalFilename vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000003.1417481054.00000000150FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs fu56fbrtn8.exe

Uses 32bit PE files

Source: fu56fbrtn8.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000011.00000002.1752157140.000000001515B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.1549703628.0000000014AFB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000010.00000002.1659495150.000000001514B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\Public\Libraries\CmzcxhwnO.bat, type: DROPPED	Matched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@27/17@5/3

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_15697952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		0_2_15697952
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AA7952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		8_2_14AA7952

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_02DE7F90 GetDiskFreeSpaceA,

0_2_02DE7F90

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1568F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

0_2_1568F474

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_02DF6D84 CoCreateInstance,

0_2_02DF6D84

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1569B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

0_2_1569B4A8

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1569AC78 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_1569AC78

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

File created: C:\Users\Public\Libraries\Null

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1484:120:WilError_03
Source: C:\ProgramData\Remcos\remcos.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-VLI916
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03

Source: C:\ProgramData\Remcos\remcos.exe

File created: C:\Users\user\AppData\Local\Temp\bhv2770.tmp

Jump to behavior

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\CmzcxhwnO.bat" "

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\ProgramData\Remcos\remcos.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp, remcos.exe, 0000000A.00000002.1530499601.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: remcos.exe, 00000009.00000002.1583187029.000000000270E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.1631665563.000000000290E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: fu56fbrtn8.exe	ReversingLabs: Detection: 71%
Source: fu56fbrtn8.exe	Virustotal: Detection: 73%

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

File read: C:\Users\user\Desktop\fu56fbrtn8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\fu56fbrtn8.exe "C:\Users\user\Desktop\fu56fbrtn8.exe"
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\CmzcxhwnO.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\fu56fbrtn8.exe C:\\Users\\Public\\Libraries\\Cmzcxhwn.PIF
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Libraries\Cmzcxhwn.PIF "C:\Users\Public\Libraries\Cmzcxhwn.PIF"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\kcrrhbu"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\uxwkztfesgm"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\fzkcamqygoemct"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\cidefd"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\mkqxyvffd"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\wevpzoqgrjkc"
Source: unknown	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown	Process created: C:\Users\Public\Libraries\Cmzcxhwn.PIF "C:\Users\Public\Libraries\Cmzcxhwn.PIF"
Source: unknown	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\CmzcxhwnO.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\fu56fbrtn8.exe C:\\Users\\Public\\Libraries\\Cmzcxhwn.PIF	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\kcrrhbu"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\uxwkztfesgm"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\fzkcamqygoemct"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\cidefd"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\mkqxyvffd"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\wevpzoqgrjkc"	Jump to behavior

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: archiveint.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: eamsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\ProgramData\Remcos\remcos.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: fu56fbrtn8.exe

Static file information: File size 1639424 > 1048576

Source: fu56fbrtn8.exe

Static PE information: Raw size of DATA is bigger than: 0x100000 < 0x114800

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr
Source:	Binary string: easinvoker.pdbH source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1417481054.00000000150FE000.00000004.00000020.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Unpacked PE file: 0.2.fu56fbrtn8.exe.15680000.10.unpack

Yara detected DBatLoader

Source: Yara match	File source: 0.2.fu56fbrtn8.exe.2d1ce08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.2de0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.2d3e308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.2d3e308.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.2cd9910.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1789281992.0000000002D51000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1649498271.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3821247162.0000000002DF1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1533650563.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1569CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

0_2_1569CB50

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .

PE file contains an invalid checksum

Source: Cmzcxhwn.PIF.5.dr	Static PE information: real checksum: 0x0 should be: 0x1918cf
Source: netutils.dll.0.dr	Static PE information: real checksum: 0x2c00d should be: 0x1f08e
Source: fu56fbrtn8.exe	Static PE information: real checksum: 0x0 should be: 0x1918cf
Source: remcos.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x1918cf

PE file contains sections with non-standard names

Source: easinvoker.exe.0.dr	Static PE information: section name: .imrsiv
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: /4
Source: netutils.dll.0.dr	Static PE information: section name: /19
Source: netutils.dll.0.dr	Static PE information: section name: /31
Source: netutils.dll.0.dr	Static PE information: section name: /45
Source: netutils.dll.0.dr	Static PE information: section name: /57
Source: netutils.dll.0.dr	Static PE information: section name: /70
Source: netutils.dll.0.dr	Static PE information: section name: /81
Source: netutils.dll.0.dr	Static PE information: section name: /92

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_029E009D push dword ptr [esi-5D3DF0BBh]; retf	0_3_029E00B1
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_029E2BAE push dword ptr [esi-5D3D056Dh]; iretd	0_3_029E2BB5
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_029E23C9 push dword ptr [esi-5D3D05BBh]; iretd	0_3_029E23DD
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02B0C6F9 push cs; retf	0_3_02B0C6FE
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02B0802D push ss; retf	0_3_02B08053
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02AE57F3 push edi; iretd	0_3_02AE57F4
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02B0C120 push es; retf	0_3_02B0C12B
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BA12D3 pushfd ; ret	0_3_02BA12D4
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BA5FF8 push es; retf	0_3_02BA6003
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BA65D1 push cs; retf	0_3_02BA65D6
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BA1F05 push ss; retf	0_3_02BA1F2B
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156DE54D push esi; ret	0_2_156DE556
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156DB163 push esp; ret	0_2_156DB141
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156DB143 pushad ; ret	0_2_156DB151
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156D7106 push ecx; ret	0_2_156D7119
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156DB18B pushfd ; ret	0_2_156DB191
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156DB0F3 push esp; ret	0_2_156DB141
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B4E56 push ecx; ret	0_2_156B4E69
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156DC963 push eax; retf	0_2_156DC981
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156DC983 pushad ; retf	0_2_156DC989
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156D7A28 push eax; ret	0_2_156D7A46
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02E0A2F4 push 02E0A35Fh; ret	0_2_02E0A357
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DE32F0 push eax; ret	0_2_02DE332C
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DFD20C push ecx; mov dword ptr [esp], edx	0_2_02DFD211
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DE6374 push 02DE63CFh; ret	0_2_02DE63C7
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DE6372 push 02DE63CFh; ret	0_2_02DE63C7
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02E0A0AC push 02E0A125h; ret	0_2_02E0A11D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DF3028 push 02DF3075h; ret	0_2_02DF306D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DF3027 push 02DF3075h; ret	0_2_02DF306D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02E0A1F8 push 02E0A288h; ret	0_2_02E0A280
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02E0A144 push 02E0A1ECh; ret	0_2_02E0A1E4

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\extrac32.exe

File created: C:\Users\Public\Libraries\Cmzcxhwn.PIF

Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_15686EB0 ShellExecuteW,URLDownloadToFileW,

0_2_15686EB0

Drops PE files

Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Jump to dropped file
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	File created: C:\ProgramData\Remcos\remcos.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	File created: C:\Users\Public\Libraries\easinvoker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	File created: C:\Users\Public\Libraries\netutils.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

File created: C:\ProgramData\Remcos\remcos.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Cmzcxhwn			Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916			Jump to behavior

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1569AB0D OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_1569AB0D

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Cmzcxhwn	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Cmzcxhwn	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

0_2_1569CB50

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568F7A7 Sleep,ExitProcess,		0_2_1568F7A7
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9F7A7 Sleep,ExitProcess,		8_2_14A9F7A7

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		0_2_1569A748
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		8_2_14AAA748

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\ProgramData\Remcos\remcos.exe	Window / User API: threadDelayed 2047	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Window / User API: threadDelayed 7621	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Window / User API: foregroundWindowGot 1742	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Dropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exe

Jump to dropped file

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF

Evasive API call chain: RegQueryValue,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	API coverage: 8.9 %
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	API coverage: 1.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\ProgramData\Remcos\remcos.exe TID: 1736	Thread sleep time: -62000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe TID: 3232	Thread sleep time: -6141000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe TID: 3232	Thread sleep time: -22863000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_15689665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_15689665
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_1568C34D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_15689253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_15689253
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1569C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_1569C291
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_1568BD37
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156CE879 FindFirstFileExA,	0_2_156CE879
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568783C FindFirstFileW,FindNextFileW,	0_2_1568783C
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	0_2_1568880C
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_1568BB30
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_15699AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_15699AF5
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DE58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_02DE58CC
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A510F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_33A510F1
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A56580 FindFirstFileExA,	6_2_33A56580
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14ADE879 FindFirstFileExA,	8_2_14ADE879
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A99665 FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_14A99665
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9783C FindFirstFileW,FindNextFileW,	8_2_14A9783C
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9880C FindFirstFileW,FindNextFileW,FindClose,	8_2_14A9880C
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AAC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	8_2_14AAC291
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AA9AF5 FindFirstFileW,	8_2_14AA9AF5
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_14A9BB30
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	8_2_14A9C34D

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_15687C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_15687C97

Source: remcos.exe, 00000013.00000003.1914864143.00000000007D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: remcos.exe, 00000011.00000002.1739100863.0000000000958000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW.
Source: remcos.exe, 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWUo
Source: remcos.exe, 00000011.00000002.1739100863.0000000000926000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(=
Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000010.00000003.1645700884.0000000000856000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000010.00000003.1645700884.0000000000826000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.1739100863.0000000000958000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW'
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: Cmzcxhwn.PIF, 00000012.00000002.1787599140.00000000005D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
Source: Cmzcxhwn.PIF, 00000008.00000002.1531336451.00000000008F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	API call chain: ExitProcess graph end node

Source: C:\ProgramData\Remcos\remcos.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_156B49F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_156B49F9

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

0_2_1569CB50

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156C32B5 mov eax, dword ptr fs:[00000030h]	0_2_156C32B5
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A54AB4 mov eax, dword ptr fs:[00000030h]	6_2_33A54AB4
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AD32B5 mov eax, dword ptr fs:[00000030h]	8_2_14AD32B5

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_15692077 GetProcessHeap,HeapFree,

0_2_15692077

Enables debug privileges

Source: C:\ProgramData\Remcos\remcos.exe	Process token adjusted: Debug
Source: C:\ProgramData\Remcos\remcos.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B4FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_156B4FDC
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B49F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_156B49F9
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B4B47 SetUnhandledExceptionFilter,	0_2_156B4B47
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156BBB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_156BBB22
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A52B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_33A52B1C
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A52639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_33A52639
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A560E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_33A560E2
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC4FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_14AC4FDC
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC49F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_14AC49F8
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC49F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_14AC49F9
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14ACBB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_14ACBB22
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC4B47 SetUnhandledExceptionFilter,	8_2_14AC4B47

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and write	Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

0_2_156920F7

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_15699627 mouse_event,

0_2_15699627

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\kcrrhbu"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\uxwkztfesgm"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\fzkcamqygoemct"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\cidefd"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\mkqxyvffd"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\wevpzoqgrjkc"	Jump to behavior

Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\`
Source: remcos.exe, 00000006.00000002.3813258575.000000000069E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3819338341.000000000077C000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\28
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\rg:
Source: remcos.exe, 00000006.00000002.3813258575.000000000069E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\w
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\31
Source: remcos.exe, 00000006.00000002.3813258575.000000000069E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\s\|X
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\*\|
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\n
Source: remcos.exe, 00000006.00000002.3819338341.000000000077C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managert
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\S
Source: remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managermcos\remcos.exexe
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\i
Source: remcos.exe, 00000006.00000002.3819232580.000000000076C000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2204886871.0000000000766000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\*
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\J
Source: remcos.exe, 00000006.00000003.2204454326.000000000078E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3819338341.000000000078E000.00000004.00000020.00020000.00000000.sdmp, logs.dat.6.dr	Binary or memory string: [Program Manager]

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_156B4C52 cpuid

0_2_156B4C52

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetLocaleInfoW,	0_2_156D2543
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_156D243C
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: EnumSystemLocalesW,	0_2_156C8404
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_156D2610
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: EnumSystemLocalesW,	0_2_156D2036
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_156D20C3
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetLocaleInfoW,	0_2_156D2313
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_156D1CD8
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: EnumSystemLocalesW,	0_2_156D1F50
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: EnumSystemLocalesW,	0_2_156D1F9B
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetLocaleInfoW,	0_2_156C88ED
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetLocaleInfoA,	0_2_1568F8D1
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	0_2_02DFD5D0
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02DE5A90
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetLocaleInfoA,	0_2_02DEA7CC
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetLocaleInfoA,	0_2_02DEA780
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02DE5B9C
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	0_2_02DFD5D0
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	0_2_02E05FA0
Source: C:\ProgramData\Remcos\remcos.exe	Code function: CoInitialize,EnumSystemLocalesA,	6_2_02E0D5D0
Source: C:\ProgramData\Remcos\remcos.exe	Code function: EnumSystemLocalesA,	6_2_02E15F9F
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: EnumSystemLocalesA,	8_2_02D7D5D0
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: EnumSystemLocalesA,	8_2_02D85F9F
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	8_2_14AE1CD8
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_14AE243C
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: EnumSystemLocalesW,	8_2_14AD8404
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: GetLocaleInfoW,	8_2_14AE2543
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_14AE2610
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: EnumSystemLocalesW,	8_2_14AE1F9B
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: EnumSystemLocalesW,	8_2_14AE1F50
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: GetLocaleInfoW,	8_2_14AD88ED
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: EnumSystemLocalesW,	8_2_14AE2036
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: GetLocaleInfoW,	8_2_14AE230A
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: GetLocaleInfoW,	8_2_14AE2313
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: GetLocaleInfoA,	8_2_14A9F8D1

Queries the volume information (name, serial number etc) of a device

Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1569B4EF GetLocalTime,

0_2_1569B4EF

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1569B60D GetComputerNameExW,GetUserNameW,

0_2_1569B60D

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_156C9190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_156C9190

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_02DEB748 GetVersionExA,

0_2_02DEB748

Source: C:\ProgramData\Remcos\remcos.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: cmdagent.exe
Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: quhlpsvc.exe
Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: avgamsvr.exe
Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: TMBMSRV.exe
Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: Vsserv.exe
Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: avgupsvc.exe
Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: avgemc.exe
Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1531336451.0000000000921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1787599140.0000000000608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1645700884.0000000000856000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1739100863.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1739100863.00000000009E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cmzcxhwn.PIF PID: 2700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 4692, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\fgdghrd\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

0_2_1568BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		0_2_1568BB30
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: \key3.db		0_2_1568BB30

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db
Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite
Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk

Tries to steal Mail credentials (via file / registry access)

Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Yara detected WebBrowserPassView password recovery tool

Source: Yara match

File source: Process Memory Space: remcos.exe PID: 2508, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916
Source: C:\ProgramData\Remcos\remcos.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916
Source: C:\ProgramData\Remcos\remcos.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1531336451.0000000000921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1787599140.0000000000608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1645700884.0000000000856000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1739100863.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1739100863.00000000009E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cmzcxhwn.PIF PID: 2700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 4692, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\fgdghrd\logs.dat, type: DROPPED

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: cmd.exe

0_2_1568569A

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.139.11	dual-spov-0006.spov-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
103.186.117.142	oceansss.duckdns.org	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true

Contacted Domains

Name	IP	Active
dual-spov-0006.spov-msedge.net	13.107.139.11	true
oceansss.duckdns.org	103.186.117.142	true
geoplugin.net	178.237.33.50	true
onedrive.live.com	unknown	unknown
oqgp5g.db.files.1drv.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc	false		high
duckdns.org	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp	true	URL Reputation: phishing	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\Public\Libraries\netutils.dll

Avira: detection malicious, Label: TR/AVI.Agent.rqsyc

Found malware configuration

Source: 00000008.00000002.1531336451.0000000000921000.00000004.00000020.00020000.00000000.sdmp

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Remcos\remcos.exe	ReversingLabs: Detection: 71%
Source: C:\ProgramData\Remcos\remcos.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	ReversingLabs: Detection: 71%
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\Public\Libraries\netutils.dll	ReversingLabs: Detection: 82%
Source: C:\Users\Public\Libraries\netutils.dll	Virustotal: Detection: 67%	Perma Link

Multi AV Scanner detection for submitted file

Source: fu56fbrtn8.exe	ReversingLabs: Detection: 71%
Source: fu56fbrtn8.exe	Virustotal: Detection: 73%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1531336451.0000000000921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1787599140.0000000000608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1645700884.0000000000856000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1739100863.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1739100863.00000000009E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cmzcxhwn.PIF PID: 2700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 4692, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\fgdghrd\logs.dat, type: DROPPED

Machine Learning detection for dropped file

Source: C:\ProgramData\Remcos\remcos.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: fu56fbrtn8.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B3837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		0_2_156B3837
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC3837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		8_2_14AC3837

Source: fu56fbrtn8.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_156874FD _wcslen,CoGetObject,

0_2_156874FD

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Unpacked PE file: 0.2.fu56fbrtn8.exe.15680000.10.unpack

Uses 32bit PE files

Source: fu56fbrtn8.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49725 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr
Source:	Binary string: easinvoker.pdbH source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1417481054.00000000150FE000.00000004.00000020.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_15689665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_15689665
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_1568C34D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_15689253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_15689253
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1569C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_1569C291
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_1568BD37
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156CE879 FindFirstFileExA,	0_2_156CE879
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568783C FindFirstFileW,FindNextFileW,	0_2_1568783C
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	0_2_1568880C
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_1568BB30
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_15699AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_15699AF5
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DE58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_02DE58CC
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A510F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_33A510F1
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A56580 FindFirstFileExA,	6_2_33A56580
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14ADE879 FindFirstFileExA,	8_2_14ADE879
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A99665 FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_14A99665
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9783C FindFirstFileW,FindNextFileW,	8_2_14A9783C
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9880C FindFirstFileW,FindNextFileW,FindClose,	8_2_14A9880C
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AAC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	8_2_14AAC291
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AA9AF5 FindFirstFileW,	8_2_14AA9AF5
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_14A9BB30
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	8_2_14A9C34D

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_15687C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_15687C97

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.8:49711 -> 103.186.117.142:1144
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 103.186.117.142:1144 -> 192.168.2.8:49711

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: oceansss.duckdns.org

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_02DFC8AC InternetCheckConnectionA,

0_2_02DFC8AC

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49711 -> 103.186.117.142:1144

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.107.139.11 13.107.139.11
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1569662D Sleep,URLDownloadToFileW,

0_2_1569662D

Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=FDB0512DE793B32E%21192&authkey=!AAbMANNKbvJdxgc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: remcos.exe, 00000009.00000002.1583028383.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.1631551774.0000000002328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: remcos.exe, 00000009.00000002.1583028383.00000000022A8000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.1631551774.0000000002328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv2770.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: remcos.exe, 00000006.00000003.1490133116.0000000033690000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: fu56fbrtn8.exe, remcos.exe, 00000006.00000003.1523378434.000000003369A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.1490133116.0000000033690000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3845884495.000000003369A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2205008076.0000000033696000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.000000000071A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmp, bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://geoplugin.net/json.gp
Source: fu56fbrtn8.exe, 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1549703628.0000000014AFB000.00000040.00001000.00020000.00000000.sdmp, remcos.exe, 00000010.00000002.1659495150.000000001514B000.00000040.00001000.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.1752157140.000000001515B000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: remcos.exe, 00000006.00000003.1523378434.000000003369A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.1490133116.0000000033690000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3845884495.000000003369A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2205008076.0000000033696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpL
Source: remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpL9
Source: remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpLL
Source: remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gphB
Source: remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpoft
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0Q
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://ocspx.digicert.com0E
Source: bhv2770.tmp.9.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: remcos.exe, 0000000B.00000003.1533269381.000000000056D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000B.00000003.1533356581.000000000056D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, remcos.exe, 0000000F.00000003.1587508124.000000000058D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000F.00000003.1587761569.000000000058D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: remcos.exe, 0000000B.00000003.1533269381.000000000056D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000B.00000003.1533356581.000000000056D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000F.00000003.1587508124.000000000058D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000F.00000003.1587761569.000000000058D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comata
Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: remcos.exe, 00000009.00000002.1578803145.0000000000193000.00000004.00000010.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.1627422473.0000000000194000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?5b3bec92835bc024c52f96dd
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?f0f7e1407b69bd65640be717
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f343d3a8731ffea490b8b5c3
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f92d19bcbba8eb1999dabbc8
Source: bhv2770.tmp.9.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=LO
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv2770.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhv2770.tmp.9.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=MIRA-WW-PH7&FrontEn
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.0000000000823000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3819338341.0000000000772000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.1739100863.000000000097D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/
Source: remcos.exe, 00000010.00000003.1645700884.000000000088D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/S
Source: remcos.exe, 00000013.00000003.1914864143.0000000000810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/l
Source: bhv2770.tmp.9.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv2770.tmp.9.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv2770.tmp.9.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-08-30-16/PreSignInSettingsConfig.json
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=13164f2a9ee6956f1439
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=b92552
Source: remcos.exe, 00000013.00000003.1914864143.00000000007D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/B
Source: remcos.exe, 00000011.00000002.1739100863.0000000000926000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/L
Source: remcos.exe, 00000013.00000002.1928082246.00000000140F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=FDB0512DE793B32E%21192&authkey=
Source: remcos.exe, 00000010.00000003.1645700884.0000000000826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/gR
Source: remcos.exe, 00000010.00000003.1645700884.000000000088D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000013.00000003.1914864143.000000000083A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/
Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.0000000000823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/)hVS
Source: remcos.exe, 00000011.00000002.1739100863.00000000009BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/D
Source: remcos.exe, 00000013.00000003.1914864143.000000000083A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000013.00000003.1914864143.000000000081F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/y4mBqG2XWpzBzSvN2kPaNUx-09fMnbsE2AbR6Fc3TpLJhs6tiT5fqXCxcWK4x989O9Y
Source: remcos.exe, 00000011.00000002.1739100863.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/y4mMFFkYYwN0t0OSAIBWRwi6fQ3Q4XNZ5ZTI7CjrOq6bQT78Okek-WvtG9h-If59Adw
Source: remcos.exe, 00000013.00000002.1918208186.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/y4mS7-09cDgh9l-spZEVYc4X4sz7LO4DIkbEuCnO10bm0osuWSl7tRLcAVFGx7-sRmq
Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.0000000000823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/y4mcrmPTZ2L_86niwd7Bu_ffro-TLyMBDfLgpQuXM7S3NIuO87j54n8Dfi6-LFoUs3a
Source: remcos.exe, 00000010.00000003.1645700884.000000000088D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/y4msMUOKNxzSXc79LnjXbgaTWjPZ-zo_lPFnd-m9JJcIecYw2VkvQ1RrP2qqhLCejbl
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com/y4mzx7lSeeAwusg9Zi636Xfs7GnQpJEFwP-ghRD9wO-49fLPVE-Xv-39OCRs6SS43X7
Source: remcos.exe, 00000013.00000003.1914864143.000000000081F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com:443/y4mBqG2XWpzBzSvN2kPaNUx-09fMnbsE2AbR6Fc3TpLJhs6tiT5fqXCxcWK4x98
Source: remcos.exe, 00000011.00000002.1739100863.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com:443/y4mMFFkYYwN0t0OSAIBWRwi6fQ3Q4XNZ5ZTI7CjrOq6bQT78Okek-WvtG9h-If5
Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.0000000000823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com:443/y4mcrmPTZ2L_86niwd7Bu_ffro-TLyMBDfLgpQuXM7S3NIuO87j54n8Dfi6-LFo
Source: remcos.exe, 00000010.00000002.1647920314.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000010.00000003.1645700884.000000000088D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com:443/y4msMUOKNxzSXc79LnjXbgaTWjPZ-zo_lPFnd-m9JJcIecYw2VkvQ1RrP2qqhLC
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oqgp5g.db.files.1drv.com:443/y4mzx7lSeeAwusg9Zi636Xfs7GnQpJEFwP-ghRD9wO-49fLPVE-Xv-39OCRs6SS
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?407dab52f7bc43350b5cde12afe93269
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?469316a07faf13c962eeef1395652e59
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: remcos.exe, 0000000B.00000002.1534062723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.8:49725 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1568A2B8 SetWindowsHookExA 0000000D,1568A2A4,00000000

0_2_1568A2B8

Installs a global keyboard hook

Source: C:\ProgramData\Remcos\remcos.exe

Windows user hook set: 0 keyboard low level C:\ProgramData\Remcos\remcos.exe

Jump to behavior

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1568B70E OpenClipboard,GetClipboardData,CloseClipboard,

0_2_1568B70E

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_156968C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_156968C1

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1568B70E OpenClipboard,GetClipboardData,CloseClipboard,

0_2_1568B70E

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1568A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

0_2_1568A3E0

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1531336451.0000000000921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1787599140.0000000000608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1645700884.0000000000856000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1739100863.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1739100863.00000000009E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cmzcxhwn.PIF PID: 2700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 4692, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\fgdghrd\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1569C9E2 SystemParametersInfoW,		0_2_1569C9E2
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AAC9E2 SystemParametersInfoW,		8_2_14AAC9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.1752157140.000000001515B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.1549703628.0000000014AFB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000010.00000002.1659495150.000000001514B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\Public\Libraries\CmzcxhwnO.bat, type: DROPPED	Matched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen

PE file contains section with special chars

Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .

Abnormal high CPU Usage

Source: C:\ProgramData\Remcos\remcos.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156932D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	0_2_156932D2
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1569BB35 OpenProcess,NtResumeProcess,CloseHandle,	0_2_1569BB35
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1569BB09 OpenProcess,NtSuspendProcess,CloseHandle,	0_2_1569BB09
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DFC3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_02DFC3F8
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DFC368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02DFC368
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DFC4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_02DFC4DC
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DF7968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_02DF7968
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DFC3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_02DFC3F6
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DF7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	0_2_02DF7AC0
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DF7966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_02DF7966
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DF7F48 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,	0_2_02DF7F48
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DF7F46 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,	0_2_02DF7F46
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_02E0C4DC NtOpenFile,NtReadFile,	6_2_02E0C4DC
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_02E07968 NtAllocateVirtualMemory,	6_2_02E07968
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_02E07966 NtAllocateVirtualMemory,	6_2_02E07966
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_02D7C4DC NtOpenFile,NtReadFile,	8_2_02D7C4DC
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_02D77968 NtAllocateVirtualMemory,	8_2_02D77968
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_02D77966 NtAllocateVirtualMemory,	8_2_02D77966
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AAD58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	8_2_14AAD58F
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AA32D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,	8_2_14AA32D2
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AABB35 OpenProcess,NtResumeProcess,CloseHandle,	8_2_14AABB35
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AABB09 OpenProcess,NtSuspendProcess,CloseHandle,	8_2_14AABB09

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_02DFCA6C CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,

0_2_02DFCA6C

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156967B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,		0_2_156967B4
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AA67B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,		8_2_14AA67B9

Detected potential crypto function

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE265E	0_3_02BE265E
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE0719	0_3_02BE0719
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE1362	0_3_02BE1362
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE134B	0_3_02BE134B
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE10BD	0_3_02BE10BD
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE14BD	0_3_02BE14BD
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE04A9	0_3_02BE04A9
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE049D	0_3_02BE049D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE0485	0_3_02BE0485
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE20F2	0_3_02BE20F2
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE10D5	0_3_02BE10D5
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE10C9	0_3_02BE10C9
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE14C9	0_3_02BE14C9
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE102E	0_3_02BE102E
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE0425	0_3_02BE0425
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE2018	0_3_02BE2018
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE0419	0_3_02BE0419
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE040D	0_3_02BE040D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE0000	0_3_02BE0000
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE1045	0_3_02BE1045
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE09BC	0_3_02BE09BC
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE09B0	0_3_02BE09B0
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE09A4	0_3_02BE09A4
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE11EA	0_3_02BE11EA
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE01DE	0_3_02BE01DE
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE153D	0_3_02BE153D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE0D38	0_3_02BE0D38
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE1531	0_3_02BE1531
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE2953	0_3_02BE2953
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BE1549	0_3_02BE1549
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156BE558	0_2_156BE558
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B74E6	0_2_156B74E6
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B8770	0_2_156B8770
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B8168	0_2_156B8168
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156D4159	0_2_156D4159
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156C61F0	0_2_156C61F0
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1569F0FA	0_2_1569F0FA
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156BE0CC	0_2_156BE0CC
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156D332B	0_2_156D332B
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156A739D	0_2_156A739D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156BE2FB	0_2_156BE2FB
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B7D33	0_2_156B7D33
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B6FEA	0_2_156B6FEA
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_15693FCA	0_2_15693FCA
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B5E5E	0_2_156B5E5E
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156A6E0E	0_2_156A6E0E
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156BDE9D	0_2_156BDE9D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B3946	0_2_156B3946
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156CD9C9	0_2_156CD9C9
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B78FE	0_2_156B78FE
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1569DB62	0_2_1569DB62
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156A7BAF	0_2_156A7BAF
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156A7A46	0_2_156A7A46
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DE20C4	0_2_02DE20C4
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A67194	6_2_33A67194
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A5B5C1	6_2_33A5B5C1
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_02DF20C4	6_2_02DF20C4
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_02D620C4	8_2_02D620C4
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC74E6	8_2_14AC74E6
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14ACE558	8_2_14ACE558
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14ACDE9D	8_2_14ACDE9D
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC5E5E	8_2_14AC5E5E
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC6FEA	8_2_14AC6FEA
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC78FE	8_2_14AC78FE
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14ACE0CC	8_2_14ACE0CC
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AD61F0	8_2_14AD61F0
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC3946	8_2_14AC3946
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14ACE2FB	8_2_14ACE2FB
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AE332B	8_2_14AE332B
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AADB62	8_2_14AADB62

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\Remcos\remcos.exe E1CECFCC4EED2F4B74AF7D971DCF24555534DB164DDB0B7CD1E821B2F0402703
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\Cmzcxhwn.PIF E1CECFCC4EED2F4B74AF7D971DCF24555534DB164DDB0B7CD1E821B2F0402703
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96

Found potential string decryption / allocating functions

Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: String function: 14AC4E10 appears 54 times
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: String function: 02D66658 appears 32 times
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: String function: 02D64698 appears 156 times
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: String function: 02D64824 appears 628 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 02DE44A0 appears 67 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 156B4770 appears 41 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 156B4E10 appears 54 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 15681E65 appears 35 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 02DE4698 appears 247 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 02DE6658 appears 32 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 02DE4824 appears 882 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 15682093 appears 50 times
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: String function: 02DF7BE8 appears 45 times
Source: C:\ProgramData\Remcos\remcos.exe	Code function: String function: 02DF4698 appears 156 times
Source: C:\ProgramData\Remcos\remcos.exe	Code function: String function: 02DF6658 appears 32 times
Source: C:\ProgramData\Remcos\remcos.exe	Code function: String function: 02DF4824 appears 628 times

PE file contains more sections than normal

Source: netutils.dll.0.dr

Static PE information: Number of sections : 19 > 10

Sample file is different than original file name gathered from version info

Source: fu56fbrtn8.exe	Binary or memory string: OriginalFilename vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000003.1417481054.00000000150FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs fu56fbrtn8.exe
Source: fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs fu56fbrtn8.exe

Uses 32bit PE files

Source: fu56fbrtn8.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000011.00000002.1752157140.000000001515B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.1549703628.0000000014AFB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000010.00000002.1659495150.000000001514B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\Public\Libraries\CmzcxhwnO.bat, type: DROPPED	Matched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@27/17@5/3

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_15697952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		0_2_15697952
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AA7952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		8_2_14AA7952

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_02DE7F90 GetDiskFreeSpaceA,

0_2_02DE7F90

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1568F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

0_2_1568F474

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_02DF6D84 CoCreateInstance,

0_2_02DF6D84

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1569B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

0_2_1569B4A8

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1569AC78 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_1569AC78

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

File created: C:\Users\Public\Libraries\Null

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1484:120:WilError_03
Source: C:\ProgramData\Remcos\remcos.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-VLI916
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03

Source: C:\ProgramData\Remcos\remcos.exe

File created: C:\Users\user\AppData\Local\Temp\bhv2770.tmp

Jump to behavior

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\CmzcxhwnO.bat" "

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\ProgramData\Remcos\remcos.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp, remcos.exe, 0000000A.00000002.1530499601.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: remcos.exe, 00000009.00000002.1583187029.000000000270E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.1631665563.000000000290E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: remcos.exe, 00000009.00000002.1579077199.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: fu56fbrtn8.exe	ReversingLabs: Detection: 71%
Source: fu56fbrtn8.exe	Virustotal: Detection: 73%

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

File read: C:\Users\user\Desktop\fu56fbrtn8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\fu56fbrtn8.exe "C:\Users\user\Desktop\fu56fbrtn8.exe"
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\CmzcxhwnO.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\fu56fbrtn8.exe C:\\Users\\Public\\Libraries\\Cmzcxhwn.PIF
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Libraries\Cmzcxhwn.PIF "C:\Users\Public\Libraries\Cmzcxhwn.PIF"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\kcrrhbu"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\uxwkztfesgm"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\fzkcamqygoemct"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\cidefd"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\mkqxyvffd"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\wevpzoqgrjkc"
Source: unknown	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown	Process created: C:\Users\Public\Libraries\Cmzcxhwn.PIF "C:\Users\Public\Libraries\Cmzcxhwn.PIF"
Source: unknown	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\CmzcxhwnO.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\fu56fbrtn8.exe C:\\Users\\Public\\Libraries\\Cmzcxhwn.PIF	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\kcrrhbu"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\uxwkztfesgm"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\fzkcamqygoemct"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\cidefd"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\mkqxyvffd"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\wevpzoqgrjkc"	Jump to behavior

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: archiveint.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: eamsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Section loaded: ??.dll	Jump to behavior

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\ProgramData\Remcos\remcos.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: fu56fbrtn8.exe

Static file information: File size 1639424 > 1048576

Source: fu56fbrtn8.exe

Static PE information: Raw size of DATA is bigger than: 0x100000 < 0x114800

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1412139701.000000007F420000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr
Source:	Binary string: easinvoker.pdbH source: fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1417481054.00000000150FE000.00000004.00000020.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Unpacked PE file: 0.2.fu56fbrtn8.exe.15680000.10.unpack

Yara detected DBatLoader

Source: Yara match	File source: 0.2.fu56fbrtn8.exe.2d1ce08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.2de0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.2d3e308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.2d3e308.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.2cd9910.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1428399500.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1789281992.0000000002D51000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1649498271.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3821247162.0000000002DF1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1533650563.0000000002D61000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

0_2_1569CB50

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .

PE file contains an invalid checksum

Source: Cmzcxhwn.PIF.5.dr	Static PE information: real checksum: 0x0 should be: 0x1918cf
Source: netutils.dll.0.dr	Static PE information: real checksum: 0x2c00d should be: 0x1f08e
Source: fu56fbrtn8.exe	Static PE information: real checksum: 0x0 should be: 0x1918cf
Source: remcos.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x1918cf

PE file contains sections with non-standard names

Source: easinvoker.exe.0.dr	Static PE information: section name: .imrsiv
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: .
Source: netutils.dll.0.dr	Static PE information: section name: /4
Source: netutils.dll.0.dr	Static PE information: section name: /19
Source: netutils.dll.0.dr	Static PE information: section name: /31
Source: netutils.dll.0.dr	Static PE information: section name: /45
Source: netutils.dll.0.dr	Static PE information: section name: /57
Source: netutils.dll.0.dr	Static PE information: section name: /70
Source: netutils.dll.0.dr	Static PE information: section name: /81
Source: netutils.dll.0.dr	Static PE information: section name: /92

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_029E009D push dword ptr [esi-5D3DF0BBh]; retf	0_3_029E00B1
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_029E2BAE push dword ptr [esi-5D3D056Dh]; iretd	0_3_029E2BB5
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_029E23C9 push dword ptr [esi-5D3D05BBh]; iretd	0_3_029E23DD
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02B0C6F9 push cs; retf	0_3_02B0C6FE
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02B0802D push ss; retf	0_3_02B08053
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02AE57F3 push edi; iretd	0_3_02AE57F4
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02B0C120 push es; retf	0_3_02B0C12B
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BA12D3 pushfd ; ret	0_3_02BA12D4
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BA5FF8 push es; retf	0_3_02BA6003
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BA65D1 push cs; retf	0_3_02BA65D6
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_3_02BA1F05 push ss; retf	0_3_02BA1F2B
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156DE54D push esi; ret	0_2_156DE556
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156DB163 push esp; ret	0_2_156DB141
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156DB143 pushad ; ret	0_2_156DB151
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156D7106 push ecx; ret	0_2_156D7119
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156DB18B pushfd ; ret	0_2_156DB191
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156DB0F3 push esp; ret	0_2_156DB141
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B4E56 push ecx; ret	0_2_156B4E69
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156DC963 push eax; retf	0_2_156DC981
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156DC983 pushad ; retf	0_2_156DC989
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156D7A28 push eax; ret	0_2_156D7A46
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02E0A2F4 push 02E0A35Fh; ret	0_2_02E0A357
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DE32F0 push eax; ret	0_2_02DE332C
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DFD20C push ecx; mov dword ptr [esp], edx	0_2_02DFD211
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DE6374 push 02DE63CFh; ret	0_2_02DE63C7
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DE6372 push 02DE63CFh; ret	0_2_02DE63C7
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02E0A0AC push 02E0A125h; ret	0_2_02E0A11D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DF3028 push 02DF3075h; ret	0_2_02DF306D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DF3027 push 02DF3075h; ret	0_2_02DF306D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02E0A1F8 push 02E0A288h; ret	0_2_02E0A280
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02E0A144 push 02E0A1ECh; ret	0_2_02E0A1E4

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\extrac32.exe

File created: C:\Users\Public\Libraries\Cmzcxhwn.PIF

Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_15686EB0 ShellExecuteW,URLDownloadToFileW,

0_2_15686EB0

Drops PE files

Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Jump to dropped file
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	File created: C:\ProgramData\Remcos\remcos.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	File created: C:\Users\Public\Libraries\easinvoker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	File created: C:\Users\Public\Libraries\netutils.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

File created: C:\ProgramData\Remcos\remcos.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Cmzcxhwn			Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916			Jump to behavior

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

0_2_1569AB0D

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Cmzcxhwn	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Cmzcxhwn	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-VLI916	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

0_2_1569CB50

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568F7A7 Sleep,ExitProcess,		0_2_1568F7A7
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9F7A7 Sleep,ExitProcess,		8_2_14A9F7A7

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		0_2_1569A748
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		8_2_14AAA748

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\ProgramData\Remcos\remcos.exe	Window / User API: threadDelayed 2047	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Window / User API: threadDelayed 7621	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Window / User API: foregroundWindowGot 1742	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Dropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exe

Jump to dropped file

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF

Evasive API call chain: RegQueryValue,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	API coverage: 8.9 %
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	API coverage: 1.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\ProgramData\Remcos\remcos.exe TID: 1736	Thread sleep time: -62000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe TID: 3232	Thread sleep time: -6141000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe TID: 3232	Thread sleep time: -22863000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_15689665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_15689665
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_1568C34D
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_15689253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_15689253
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1569C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_1569C291
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_1568BD37
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156CE879 FindFirstFileExA,	0_2_156CE879
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568783C FindFirstFileW,FindNextFileW,	0_2_1568783C
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	0_2_1568880C
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_1568BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_1568BB30
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_15699AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_15699AF5
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_02DE58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_02DE58CC
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A510F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_33A510F1
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A56580 FindFirstFileExA,	6_2_33A56580
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14ADE879 FindFirstFileExA,	8_2_14ADE879
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A99665 FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_14A99665
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9783C FindFirstFileW,FindNextFileW,	8_2_14A9783C
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9880C FindFirstFileW,FindNextFileW,FindClose,	8_2_14A9880C
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AAC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	8_2_14AAC291
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AA9AF5 FindFirstFileW,	8_2_14AA9AF5
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_14A9BB30
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14A9C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	8_2_14A9C34D

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_15687C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_15687C97

Source: remcos.exe, 00000013.00000003.1914864143.00000000007D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: remcos.exe, 00000011.00000002.1739100863.0000000000958000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW.
Source: remcos.exe, 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWUo
Source: remcos.exe, 00000011.00000002.1739100863.0000000000926000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(=
Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000010.00000003.1645700884.0000000000856000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000010.00000003.1645700884.0000000000826000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000011.00000002.1739100863.0000000000958000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: fu56fbrtn8.exe, 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW'
Source: bhv3CFC.tmp.13.dr, bhv2770.tmp.9.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: Cmzcxhwn.PIF, 00000012.00000002.1787599140.00000000005D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
Source: Cmzcxhwn.PIF, 00000008.00000002.1531336451.00000000008F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	API call chain: ExitProcess graph end node

Source: C:\ProgramData\Remcos\remcos.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_156B49F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_156B49F9

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

0_2_1569CB50

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156C32B5 mov eax, dword ptr fs:[00000030h]	0_2_156C32B5
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A54AB4 mov eax, dword ptr fs:[00000030h]	6_2_33A54AB4
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AD32B5 mov eax, dword ptr fs:[00000030h]	8_2_14AD32B5

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_15692077 GetProcessHeap,HeapFree,

0_2_15692077

Enables debug privileges

Source: C:\ProgramData\Remcos\remcos.exe	Process token adjusted: Debug
Source: C:\ProgramData\Remcos\remcos.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B4FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_156B4FDC
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B49F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_156B49F9
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156B4B47 SetUnhandledExceptionFilter,	0_2_156B4B47
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: 0_2_156BBB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_156BBB22
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A52B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_33A52B1C
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A52639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_33A52639
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 6_2_33A560E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_33A560E2
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC4FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_14AC4FDC
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC49F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_14AC49F8
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC49F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_14AC49F9
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14ACBB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_14ACBB22
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: 8_2_14AC4B47 SetUnhandledExceptionFilter,	8_2_14AC4B47

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and write	Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

0_2_156920F7

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_15699627 mouse_event,

0_2_15699627

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\kcrrhbu"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\uxwkztfesgm"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\fzkcamqygoemct"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\cidefd"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\mkqxyvffd"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\wevpzoqgrjkc"	Jump to behavior

Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\`
Source: remcos.exe, 00000006.00000002.3813258575.000000000069E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3819338341.000000000077C000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\28
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\rg:
Source: remcos.exe, 00000006.00000002.3813258575.000000000069E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\w
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\31
Source: remcos.exe, 00000006.00000002.3813258575.000000000069E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\s\|X
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\*\|
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\n
Source: remcos.exe, 00000006.00000002.3819338341.000000000077C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managert
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\S
Source: remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managermcos\remcos.exexe
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\i
Source: remcos.exe, 00000006.00000002.3819232580.000000000076C000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000003.2204886871.0000000000766000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3813258575.000000000073B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\*
Source: remcos.exe, 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager16\J
Source: remcos.exe, 00000006.00000003.2204454326.000000000078E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000006.00000002.3819338341.000000000078E000.00000004.00000020.00020000.00000000.sdmp, logs.dat.6.dr	Binary or memory string: [Program Manager]

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_156B4C52 cpuid

0_2_156B4C52

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetLocaleInfoW,	0_2_156D2543
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_156D243C
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: EnumSystemLocalesW,	0_2_156C8404
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_156D2610
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: EnumSystemLocalesW,	0_2_156D2036
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_156D20C3
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetLocaleInfoW,	0_2_156D2313
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_156D1CD8
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: EnumSystemLocalesW,	0_2_156D1F50
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: EnumSystemLocalesW,	0_2_156D1F9B
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetLocaleInfoW,	0_2_156C88ED
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetLocaleInfoA,	0_2_1568F8D1
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	0_2_02DFD5D0
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02DE5A90
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetLocaleInfoA,	0_2_02DEA7CC
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetLocaleInfoA,	0_2_02DEA780
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02DE5B9C
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	0_2_02DFD5D0
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess,	0_2_02E05FA0
Source: C:\ProgramData\Remcos\remcos.exe	Code function: CoInitialize,EnumSystemLocalesA,	6_2_02E0D5D0
Source: C:\ProgramData\Remcos\remcos.exe	Code function: EnumSystemLocalesA,	6_2_02E15F9F
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: EnumSystemLocalesA,	8_2_02D7D5D0
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: EnumSystemLocalesA,	8_2_02D85F9F
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	8_2_14AE1CD8
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_14AE243C
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: EnumSystemLocalesW,	8_2_14AD8404
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: GetLocaleInfoW,	8_2_14AE2543
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_14AE2610
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: EnumSystemLocalesW,	8_2_14AE1F9B
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: EnumSystemLocalesW,	8_2_14AE1F50
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: GetLocaleInfoW,	8_2_14AD88ED
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: EnumSystemLocalesW,	8_2_14AE2036
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: GetLocaleInfoW,	8_2_14AE230A
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: GetLocaleInfoW,	8_2_14AE2313
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Code function: GetLocaleInfoA,	8_2_14A9F8D1

Queries the volume information (name, serial number etc) of a device

Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1569B4EF GetLocalTime,

0_2_1569B4EF

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_1569B60D GetComputerNameExW,GetUserNameW,

0_2_1569B60D

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_156C9190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_156C9190

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: 0_2_02DEB748 GetVersionExA,

0_2_02DEB748

Source: C:\ProgramData\Remcos\remcos.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: cmdagent.exe
Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: quhlpsvc.exe
Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: avgamsvr.exe
Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: TMBMSRV.exe
Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: Vsserv.exe
Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: avgupsvc.exe
Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: avgemc.exe
Source: fu56fbrtn8.exe, fu56fbrtn8.exe, 00000000.00000002.1456766146.000000007F190000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1425865491.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000003.1411808310.000000007EC00000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1437992219.0000000014090000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1441486890.0000000015280000.00000004.00001000.00020000.00000000.sdmp, fu56fbrtn8.exe, 00000000.00000002.1428558383.0000000002E0B000.00000004.00001000.00020000.00000000.sdmp, Cmzcxhwn.PIF, 00000008.00000002.1546049840.000000001406F000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1531336451.0000000000921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1787599140.0000000000608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1645700884.0000000000856000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1739100863.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1739100863.00000000009E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cmzcxhwn.PIF PID: 2700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 4692, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\fgdghrd\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

0_2_1568BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		0_2_1568BB30
Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Code function: \key3.db		0_2_1568BB30

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db
Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite
Source: C:\ProgramData\Remcos\remcos.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk

Tries to steal Mail credentials (via file / registry access)

Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\ProgramData\Remcos\remcos.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Yara detected WebBrowserPassView password recovery tool

Source: Yara match

File source: Process Memory Space: remcos.exe PID: 2508, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\fu56fbrtn8.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916	Jump to behavior
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916
Source: C:\ProgramData\Remcos\remcos.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916
Source: C:\Users\Public\Libraries\Cmzcxhwn.PIF	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916
Source: C:\ProgramData\Remcos\remcos.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-VLI916

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fu56fbrtn8.exe.15680000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000003.1914864143.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1531336451.0000000000921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1787599140.0000000000608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1454185764.000000007E930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1441963900.0000000015680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1645700884.0000000000856000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2204454326.000000000076F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1739100863.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1739100863.00000000009E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1421024098.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fu56fbrtn8.exe PID: 5592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cmzcxhwn.PIF PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 4424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 6012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cmzcxhwn.PIF PID: 2700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: remcos.exe PID: 4692, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\fgdghrd\logs.dat, type: DROPPED

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\Desktop\fu56fbrtn8.exe

Code function: cmd.exe

0_2_1568569A

Windows Analysis Report
fu56fbrtn8.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1430790
Product:	CloudBasic
Start time:	07:19:38
Start date:	24.04.2024
Sample:	fu56fbrtn8.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	da7c2473b5c455f25f420827af596286
SHA1:	101b5f991a26fc9213c4445bd9bfdb87a6a6c5cb
SHA256:	e1cecfcc4eed2f4b74af7d971dcf24555534db164ddb0b7cd1e821b2f0402703
Filetype:	Win32 Executable (generic) a (10002005/4) 99.66%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Remcos\remcos.exe	PE32 executable (GUI) Intel 80386, for MS Windows	DA7C2473B5C455F25F420827AF596286	101B5F991A26FC9213C4445BD9BFDB87A6A6C5CB	E1CECFCC4EED2F4B74AF7D971DCF24555534DB164DDB0B7CD1E821B2F0402703
C:\ProgramData\Remcos\remcos.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\ProgramData\fgdghrd\logs.dat	data	1B45D31EEAF80B8A2AD9746AA274CE3D	9C37206D10732478017FB2A08A64700480DCE58A	2C47299E573335BC16DF22DBEE1D85A9A88AC58FD7DB7E8E2D830BBB6B2D5813
C:\Users\Public\Cmzcxhwn.url	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Cmzcxhwn.PIF">), ASCII text, with CRLF line terminators	72C05F885ED3056C0DF8281254BAE799	BE669321E3F9606DB8BE8FFB42BD0CA16597EA7B	F4FB38198E6FC7C2B2C07D0B0EC8968803FBD433FD19962A543A891C25EF24DB
C:\Users\Public\Libraries\Cmzcxhwn	data	6DBB10D6B60E1A87F5F5346685AA9E81	516A19B05660C0F80208B85FA0FCF60B8E2F86A5	5A863615FE982204BFC576576DFC7C5A06C1DDB029ACF1EC7F37F79541ABE750
C:\Users\Public\Libraries\Cmzcxhwn.PIF	PE32 executable (GUI) Intel 80386, for MS Windows	DA7C2473B5C455F25F420827AF596286	101B5F991A26FC9213C4445BD9BFDB87A6A6C5CB	E1CECFCC4EED2F4B74AF7D971DCF24555534DB164DDB0B7CD1E821B2F0402703
C:\Users\Public\Libraries\CmzcxhwnO.bat	Unicode text, UTF-16, little-endian text, with very long lines (15012), with no line terminators	828FFBF60677999579DAFE4BF3919C63	A0D159A1B9A49E9EACCC53FE0C3266C0526A1BDC	ABAC4A967800F5DA708572EC42441EC373CD52459A83A8A382D6B8579482789D
C:\Users\Public\Libraries\Null	ASCII text, with CRLF line terminators	C76F4263837A36D85C6503D15252058C	7E49F1F05AD3FBD95F696875635140006430C437	4410E1233468A479D21F029A0832B94FDD3A0BFB1300266EE5EA62D81AA371C8
C:\Users\Public\Libraries\aaa.bat	DOS batch file, ASCII text, with very long lines (468), with CRLF line terminators	71E46EFE9932B83B397B44052513FB49	741AF3B8C31095A0CC2C39C41E62279684913205	11C20FABF677CD77E8A354B520F6FFCA09CAC37CE15C9932550E749E49EFE08A
C:\Users\Public\Libraries\easinvoker.exe	PE32+ executable (GUI) x86-64, for MS Windows	231CE1E1D7D98B44371FFFF407D68B59	25510D0F6353DBF0C9F72FC880DE7585E34B28FF	30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
C:\Users\Public\Libraries\netutils.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	566B326055C3ED8E2028AA1E2C1054D0	C25FA6D6369C083526CAFCF45B5F554635AFE218	A692D4305B95E57E2CFC871D53A41A5BFC9E306CB1A86CA1159DB4F469598714
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\json[1].json	JSON data	664DA71A99A7A7C426134240B73EF767	33EAC84BB6B07F00593F05413A64CD8738B8A6E7	146F13F7649B0BB05ECAA2386D7E8DC23E5BA7B69A36919E17E994E63E9F7BA5
C:\Users\user\AppData\Local\Temp\bhv2770.tmp	Extensible storage engine DataBase, version 0x620, checksum 0xfdd81a22, page size 32768, DirtyShutdown, Windows version 10.0	080D97E922C1C94DFF9506548AD69ED2	43A7F133E1E57ED40FE1C2BD48BF0FDCD0D11E0E	DC9F1D617E043E9509E9C10868898DB14DCD5C1A4A10832B9AD0357884748997
C:\Users\user\AppData\Local\Temp\bhv3CFC.tmp	Extensible storage engine DataBase, version 0x620, checksum 0xfdd81a22, page size 32768, DirtyShutdown, Windows version 10.0	54A3A7C1DD861626D7759F495D6C94D6	1B05DB9EA6781A193986D935FE5E8B7BD468AE2D	984B1A4F672001A27DF94BDBAC91639D5E1EBA7428E1AA73E61C04DACA51C0D1
C:\Users\user\AppData\Local\Temp\cidefd	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\kcrrhbu	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
\Device\ConDrv	ISO-8859 text, with CRLF line terminators	724DED658FED593BC4FBD00EE468B3BF	9A5620449C45468EAD2E2F4CA3D588938C135BEE	549C274DE97EB69F29900A926DA4CDC6468A0A32FDF5EFFFE66766F99847343C

Windows Analysis Report fu56fbrtn8.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
fu56fbrtn8.exe

Malware Threat Intel
Provided by