Edit tour

Windows Analysis Report
RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe

Overview

General Information

Sample name:	RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe
Analysis ID:	1566628
MD5:	973306ff45c5b4ee7333db7a5ef7a0f9
SHA1:	32c7065633f821f72f2c2af4a572414cdd79ea91
SHA256:	dec26f7cc646acdff30d90fae8837623c70870ed0cc9020930f95b53b6b730db
Tags:	exeuser-adrian__luca
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Remcos

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops VBS files to the startup folder

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Uses dynamic DNS services

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evaded block containing many API calls

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe" MD5: 973306FF45C5B4EE7333DB7A5EF7A0F9)

schoollike.exe (PID: 7392 cmdline: "C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe" MD5: 973306FF45C5B4EE7333DB7A5EF7A0F9)

svchost.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

svchost.exe (PID: 7816 cmdline: C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\mtmppeccgqygscehvklzfdreddodq" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

svchost.exe (PID: 7824 cmdline: C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\mtmppeccgqygscehvklzfdreddodq" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

svchost.exe (PID: 7832 cmdline: C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\wnsiqxnvuzqluislmugbiidvdjfejiom" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

svchost.exe (PID: 7848 cmdline: C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ypxsq" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

wscript.exe (PID: 7532 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\schoollike.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

schoollike.exe (PID: 7580 cmdline: "C:\Users\user\AppData\Local\penstocks\schoollike.exe" MD5: 973306FF45C5B4EE7333DB7A5EF7A0F9)

svchost.exe (PID: 7596 cmdline: "C:\Users\user\AppData\Local\penstocks\schoollike.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

schoollike.exe (PID: 7604 cmdline: "C:\Users\user\AppData\Local\penstocks\schoollike.exe" MD5: 973306FF45C5B4EE7333DB7A5EF7A0F9)

svchost.exe (PID: 7628 cmdline: "C:\Users\user\AppData\Local\penstocks\schoollike.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["netflixyoutubebrowser.duckdns.org:34043:1"], "Assigned name": "WORK", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-CDDRK8", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.3825727194.0000000003230000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.1387521807.0000000000990000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000002.00000002.1387521807.0000000000990000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.1387521807.0000000000990000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000002.00000002.1387521807.0000000000990000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
00000002.00000002.1387521807.0000000000990000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
00000002.00000002.1387521807.0000000000990000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
00000005.00000002.1491358992.0000000003D60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000002.1491358992.0000000003D60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000005.00000002.1491358992.0000000003D60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000005.00000002.1491358992.0000000003D60000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
00000005.00000002.1491358992.0000000003D60000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
00000005.00000002.1491358992.0000000003D60000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
00000003.00000002.3825644686.0000000003200000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.1504738636.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000008.00000002.1504738636.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.1504738636.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000008.00000002.1504738636.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
00000008.00000002.1504738636.0000000000400000.00000040.80000000.00040000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
00000008.00000002.1504738636.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
00000007.00000002.1506183329.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000007.00000002.1506183329.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.1506183329.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000007.00000002.1506183329.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
00000007.00000002.1506183329.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
00000007.00000002.1506183329.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
00000008.00000002.1505033984.0000000003000000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.3823656144.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000003.00000002.3823656144.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.3823656144.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.3823656144.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
00000003.00000002.3823656144.0000000000400000.00000040.80000000.00040000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
00000003.00000002.3823656144.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
00000003.00000002.3825672554.0000000003212000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: schoollike.exe PID: 7392	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: schoollike.exe PID: 7392	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: schoollike.exe PID: 7392	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: schoollike.exe PID: 7392	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x8d9e:$a1: Remcos restarted by watchdog! 0x92fb:$a3: %02i:%02i:%02i:%03i 0x96b3:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 7432	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: svchost.exe PID: 7432	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost.exe PID: 7432	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: svchost.exe PID: 7432	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 7432	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x3891a:$a1: Remcos restarted by watchdog! 0x38e77:$a3: %02i:%02i:%02i:%03i 0x3922f:$a3: %02i:%02i:%02i:%03i
Process Memory Space: schoollike.exe PID: 7580	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: schoollike.exe PID: 7580	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: schoollike.exe PID: 7580	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: schoollike.exe PID: 7580	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x68363:$a1: Remcos restarted by watchdog! 0x688c0:$a3: %02i:%02i:%02i:%03i 0x68c78:$a3: %02i:%02i:%02i:%03i
Process Memory Space: schoollike.exe PID: 7604	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: schoollike.exe PID: 7604	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: schoollike.exe PID: 7604	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: schoollike.exe PID: 7604	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x1310a0:$a1: Remcos restarted by watchdog! 0x1315fd:$a3: %02i:%02i:%02i:%03i 0x1319b5:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 7628	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost.exe PID: 7628	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: svchost.exe PID: 7628	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 7628	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x988f:$a1: Remcos restarted by watchdog! 0x9dec:$a3: %02i:%02i:%02i:%03i 0xa1a4:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 7824	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 51 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.schoollike.exe.35e0000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.schoollike.exe.35e0000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.schoollike.exe.35e0000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
7.2.schoollike.exe.35e0000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ef8:$a1: Remcos restarted by watchdog! 0x6a470:$a3: %02i:%02i:%02i:%03i
7.2.schoollike.exe.35e0000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64194:$str_a1: C:\Windows\System32\cmd.exe 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64204:$str_b2: Executing file: 0x6503c:$str_b3: GetDirectListeningPort 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64b80:$str_b7: \update.vbs 0x6422c:$str_b9: Downloaded file: 0x64218:$str_b10: Downloading file: 0x642bc:$str_b12: Failed to upload file: 0x65004:$str_b13: StartForward 0x65024:$str_b14: StopForward 0x64ad8:$str_b15: fso.DeleteFile " 0x64a6c:$str_b16: On Error Resume Next 0x64b08:$str_b17: fso.DeleteFolder " 0x642ac:$str_b18: Uploaded file: 0x6426c:$str_b19: Unable to delete: 0x64aa0:$str_b20: while fso.FileExists(" 0x64749:$str_c0: [Firefox StoredLogins not found]
7.2.schoollike.exe.35e0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64080:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64010:$s1: CoGetObject 0x64024:$s1: CoGetObject 0x64040:$s1: CoGetObject 0x6dc70:$s1: CoGetObject 0x63fd0:$s2: Elevation:Administrator!new:
8.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
8.2.svchost.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
8.2.svchost.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
3.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
3.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
3.2.svchost.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
3.2.svchost.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
8.2.svchost.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.svchost.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.svchost.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.svchost.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
8.2.svchost.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
8.2.svchost.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
5.2.schoollike.exe.3d60000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.schoollike.exe.3d60000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
5.2.schoollike.exe.3d60000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.schoollike.exe.3d60000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
5.2.schoollike.exe.3d60000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
5.2.schoollike.exe.3d60000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
2.2.schoollike.exe.990000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.schoollike.exe.990000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2.schoollike.exe.990000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.schoollike.exe.990000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
2.2.schoollike.exe.990000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
2.2.schoollike.exe.990000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
7.2.schoollike.exe.35e0000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.schoollike.exe.35e0000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.schoollike.exe.35e0000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
7.2.schoollike.exe.35e0000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
7.2.schoollike.exe.35e0000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
7.2.schoollike.exe.35e0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
2.2.schoollike.exe.990000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.schoollike.exe.990000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2.schoollike.exe.990000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.schoollike.exe.990000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ef8:$a1: Remcos restarted by watchdog! 0x6a470:$a3: %02i:%02i:%02i:%03i
2.2.schoollike.exe.990000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64194:$str_a1: C:\Windows\System32\cmd.exe 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64204:$str_b2: Executing file: 0x6503c:$str_b3: GetDirectListeningPort 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64b80:$str_b7: \update.vbs 0x6422c:$str_b9: Downloaded file: 0x64218:$str_b10: Downloading file: 0x642bc:$str_b12: Failed to upload file: 0x65004:$str_b13: StartForward 0x65024:$str_b14: StopForward 0x64ad8:$str_b15: fso.DeleteFile " 0x64a6c:$str_b16: On Error Resume Next 0x64b08:$str_b17: fso.DeleteFolder " 0x642ac:$str_b18: Uploaded file: 0x6426c:$str_b19: Unable to delete: 0x64aa0:$str_b20: while fso.FileExists(" 0x64749:$str_c0: [Firefox StoredLogins not found]
2.2.schoollike.exe.990000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64080:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64010:$s1: CoGetObject 0x64024:$s1: CoGetObject 0x64040:$s1: CoGetObject 0x6dc70:$s1: CoGetObject 0x63fd0:$s2: Elevation:Administrator!new:
5.2.schoollike.exe.3d60000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.schoollike.exe.3d60000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
5.2.schoollike.exe.3d60000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.schoollike.exe.3d60000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ef8:$a1: Remcos restarted by watchdog! 0x6a470:$a3: %02i:%02i:%02i:%03i
5.2.schoollike.exe.3d60000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64194:$str_a1: C:\Windows\System32\cmd.exe 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64204:$str_b2: Executing file: 0x6503c:$str_b3: GetDirectListeningPort 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64b80:$str_b7: \update.vbs 0x6422c:$str_b9: Downloaded file: 0x64218:$str_b10: Downloading file: 0x642bc:$str_b12: Failed to upload file: 0x65004:$str_b13: StartForward 0x65024:$str_b14: StopForward 0x64ad8:$str_b15: fso.DeleteFile " 0x64a6c:$str_b16: On Error Resume Next 0x64b08:$str_b17: fso.DeleteFolder " 0x642ac:$str_b18: Uploaded file: 0x6426c:$str_b19: Unable to delete: 0x64aa0:$str_b20: while fso.FileExists(" 0x64749:$str_c0: [Firefox StoredLogins not found]
5.2.schoollike.exe.3d60000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64080:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64010:$s1: CoGetObject 0x64024:$s1: CoGetObject 0x64040:$s1: CoGetObject 0x6dc70:$s1: CoGetObject 0x63fd0:$s2: Elevation:Administrator!new:
3.2.svchost.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
3.2.svchost.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.svchost.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.svchost.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
3.2.svchost.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
3.2.svchost.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
Click to see the 55 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\schoollike.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\schoollike.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\schoollike.vbs" , ProcessId: 7532, ProcessName: wscript.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe", CommandLine: "C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe", ParentImage: C:\Users\user\AppData\Local\penstocks\schoollike.exe, ParentProcessId: 7392, ParentProcessName: schoollike.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe", ProcessId: 7432, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\schoollike.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\schoollike.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\schoollike.vbs" , ProcessId: 7532, ProcessName: wscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe", CommandLine: "C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe", ParentImage: C:\Users\user\AppData\Local\penstocks\schoollike.exe, ParentProcessId: 7392, ParentProcessName: schoollike.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe", ProcessId: 7432, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\penstocks\schoollike.exe, ProcessId: 7392, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\schoollike.vbs

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 2E D7 BD 26 6B 3C 67 2F 75 72 A8 A2 F1 22 FC 33 3F 65 2C 95 39 AA 27 D7 58 21 34 68 73 60 AE 74 DF 03 0A AD 4C 09 51 82 B6 54 31 A5 E8 D5 73 0F 77 60 FA EE 87 F8 8B 24 60 92 16 70 8F 3F C5 E9 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7432, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-CDDRK8\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T14:38:37.818865+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49745	69.61.84.227	34043	TCP
2024-12-02T14:38:40.131348+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49752	69.61.84.227	34043	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T14:38:42.709194+0100	2803304	3	Unknown Traffic	192.168.2.9	49758	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.3825644686.0000000003200000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["netflixyoutubebrowser.duckdns.org:34043:1"], "Assigned name": "WORK", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-CDDRK8", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe

ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe

ReversingLabs: Detection: 47%

Yara detected Remcos RAT

Source: Yara match	File source: 7.2.schoollike.exe.35e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.schoollike.exe.3d60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.schoollike.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.schoollike.exe.35e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.schoollike.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.schoollike.exe.3d60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3825727194.0000000003230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1387521807.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1491358992.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3825644686.0000000003200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1504738636.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1506183329.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1505033984.0000000003000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3823656144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3825672554.0000000003212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: schoollike.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: schoollike.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: schoollike.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7628, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		3_2_0043293A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		8_2_0043293A

Source: schoollike.exe, 00000002.00000002.1387521807.0000000000990000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_1ac87e54-3

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 7.2.schoollike.exe.35e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.schoollike.exe.3d60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.schoollike.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.schoollike.exe.35e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.schoollike.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.schoollike.exe.3d60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1387521807.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1491358992.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1504738636.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1506183329.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3823656144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: schoollike.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: schoollike.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: schoollike.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7628, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00406764 _wcslen,CoGetObject,		3_2_00406764
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00406764 _wcslen,CoGetObject,		8_2_00406764

Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: schoollike.exe, 00000002.00000003.1383238319.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, schoollike.exe, 00000002.00000003.1386267418.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, schoollike.exe, 00000005.00000003.1488942455.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, schoollike.exe, 00000005.00000003.1489177148.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, schoollike.exe, 00000007.00000003.1501252966.0000000003800000.00000004.00001000.00020000.00000000.sdmp, schoollike.exe, 00000007.00000003.1504588535.00000000036E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: schoollike.exe, 00000002.00000003.1383238319.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, schoollike.exe, 00000002.00000003.1386267418.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, schoollike.exe, 00000005.00000003.1488942455.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, schoollike.exe, 00000005.00000003.1489177148.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, schoollike.exe, 00000007.00000003.1501252966.0000000003800000.00000004.00001000.00020000.00000000.sdmp, schoollike.exe, 00000007.00000003.1504588535.00000000036E0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B46CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B46CA9
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B460DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00B460DD
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B463F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00B463F9
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B4EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B4EB60
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B4F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B4F5FA
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B4F56F FindFirstFileW,FindClose,	0_2_00B4F56F
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B51B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B51B2F
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B51C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B51C8A
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B51F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B51F94
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BB6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00BB6CA9
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BB60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	2_2_00BB60DD
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BB63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	2_2_00BB63F9
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BBEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00BBEB60
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BBF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_00BBF5FA
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BBF56F FindFirstFileW,FindClose,	2_2_00BBF56F
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BC1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00BC1B2F
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BC1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00BC1C8A
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BC1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00BC1F94
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_0040B335
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	3_2_0041B42F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_0040B53A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0044D5E9 FindFirstFileExA,	3_2_0044D5E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	3_2_004089A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00406AC2 FindFirstFileW,FindNextFileW,	3_2_00406AC2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	3_2_00407A8C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_00418C69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	3_2_00408DA7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	3_2_100010F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_10006580 FindFirstFileExA,	3_2_10006580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_0040B335
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	8_2_0041B42F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	8_2_0040B53A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0044D5E9 FindFirstFileExA,	8_2_0044D5E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	8_2_004089A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00406AC2 FindFirstFileW,FindNextFileW,	8_2_00406AC2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	8_2_00407A8C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	8_2_00418C69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	8_2_00408DA7

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

3_2_00406F06

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49745 -> 69.61.84.227:34043
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49752 -> 69.61.84.227:34043

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 69.61.84.227 34043			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 178.237.33.50 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: netflixyoutubebrowser.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: netflixyoutubebrowser.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.9:49745 -> 69.61.84.227:34043

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: GLOBALCOMPASSUS GLOBALCOMPASSUS

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49758 -> 178.237.33.50:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe

Code function: 0_2_00B54EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00B54EB5

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: svchost.exe, 0000000C.00000003.1590545977.0000000002B44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: {le://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginBV equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000C.00000003.1590545977.0000000002B44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: {le://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginBV equals www.yahoo.com (Yahoo)
Source: svchost.exe, 00000003.00000002.3826301039.00000000055E0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000E.00000002.1573237444.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: bhv6B95.tmp.12.dr	String found in binary or memory: exp1.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv6B95.tmp.12.dr	String found in binary or memory: exp2.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv6B95.tmp.12.dr	String found in binary or memory: exp3.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv6B95.tmp.12.dr	String found in binary or memory: exp4.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv6B95.tmp.12.dr	String found in binary or memory: exp5.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: svchost.exe, 00000003.00000002.3826301039.00000000055E0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000E.00000002.1573237444.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: bhv6B95.tmp.12.dr	String found in binary or memory: realtime.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv6B95.tmp.12.dr	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv6B95.tmp.12.dr	String found in binary or memory: www.linkedin.com0 equals www.linkedin.com (Linkedin)
Source: svchost.exe, 0000000C.00000003.1581687315.0000000002B3A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1581174240.0000000002B44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1582333402.0000000002B32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: {file://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginBV equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000C.00000003.1581687315.0000000002B3A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1581174240.0000000002B44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1582333402.0000000002B32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: {file://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginBV equals www.yahoo.com (Yahoo)
Source: svchost.exe, 00000003.00000002.3828499169.0000000005F60000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.1590820618.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: svchost.exe, 00000003.00000002.3828499169.0000000005F60000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.1590820618.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: netflixyoutubebrowser.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: svchost.exe, 00000003.00000002.3825727194.000000000324C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: svchost.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: schoollike.exe, 00000002.00000002.1387521807.0000000000990000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3823656144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, schoollike.exe, 00000005.00000002.1491358992.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, schoollike.exe, 00000007.00000002.1506183329.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1504738636.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: svchost.exe, 00000003.00000002.3825727194.0000000003230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv6B95.tmp.12.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: svchost.exe, 00000003.00000002.3826301039.00000000055E0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000E.00000002.1573237444.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: svchost.exe, 00000003.00000002.3826301039.00000000055E0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000E.00000002.1573237444.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: svchost.exe, 00000003.00000002.3826301039.00000000055E0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000E.00000002.1573237444.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: svchost.exe, 00000003.00000002.3826301039.00000000055E0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000E.00000002.1573237444.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: svchost.exe, 0000000C.00000002.1590639389.0000000000174000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: svchost.exe, 0000000E.00000002.1573237444.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DesusertionEndpoint=P
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5b&
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5c&
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://edd27623571fc427dc1f8d6ba04dd39f.clo.footprintdns.com/apc/trans.gif?b37f6b94dfddf29d58d90046
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: svchost.exe, 0000000C.00000002.1591389630.0000000002B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_iu#
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-09-10-14/PreSignInSettingsConfig.json
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=6c2de995c290b031854b
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=eafda5
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://rum18.perf.linkedin.com/apc/trans.gif?481b7caa9fdb7105b2103a8300811877
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://rum18.perf.linkedin.com/apc/trans.gif?d99a5c14daed171e4daf3a2c1226bd16
Source: svchost.exe, 00000003.00000002.3826301039.00000000055E0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000E.00000002.1573237444.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: bhv6B95.tmp.12.dr	String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

3_2_004099E4

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe

Code function: 0_2_00B56B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B56B0C

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B56D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	0_2_00B56D07
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BC6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	2_2_00BC6D07
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	3_2_004159C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	8_2_004159C6

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe

0_2_00B56B0C

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe

Code function: 0_2_00B42B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00B42B37

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B6F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00B6F7FF
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_00BDF7FF

Source: Yara match	File source: 7.2.schoollike.exe.35e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.schoollike.exe.3d60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.schoollike.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.schoollike.exe.35e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.schoollike.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.schoollike.exe.3d60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1387521807.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1491358992.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1504738636.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1506183329.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3823656144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: schoollike.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: schoollike.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: schoollike.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7628, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 7.2.schoollike.exe.35e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.schoollike.exe.3d60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.schoollike.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.schoollike.exe.35e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.schoollike.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.schoollike.exe.3d60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3825727194.0000000003230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1387521807.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1491358992.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3825644686.0000000003200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1504738636.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1506183329.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1505033984.0000000003000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3823656144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3825672554.0000000003212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: schoollike.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: schoollike.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: schoollike.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7628, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041BB77 SystemParametersInfoW,		3_2_0041BB77
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0041BB77 SystemParametersInfoW,		8_2_0041BB77

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.schoollike.exe.35e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.schoollike.exe.35e0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.schoollike.exe.35e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.schoollike.exe.3d60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.schoollike.exe.3d60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.schoollike.exe.3d60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.schoollike.exe.990000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.schoollike.exe.990000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.schoollike.exe.990000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.schoollike.exe.35e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.schoollike.exe.35e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.schoollike.exe.35e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.schoollike.exe.990000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.schoollike.exe.990000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.schoollike.exe.990000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.schoollike.exe.3d60000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.schoollike.exe.3d60000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.schoollike.exe.3d60000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000002.00000002.1387521807.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.1387521807.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.1387521807.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.1491358992.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.1491358992.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000005.00000002.1491358992.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000008.00000002.1504738636.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.1504738636.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.1504738636.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000007.00000002.1506183329.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000007.00000002.1506183329.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000007.00000002.1506183329.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000003.00000002.3823656144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.3823656144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.3823656144.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: schoollike.exe PID: 7392, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7432, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: schoollike.exe PID: 7580, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: schoollike.exe PID: 7604, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7628, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00B03D19
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe, 00000000.00000002.1374242912.0000000000BAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e2950e05-1
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe, 00000000.00000002.1374242912.0000000000BAE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_df38d542-8
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe, 00000000.00000003.1371420320.00000000039AD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0223b75d-c
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe, 00000000.00000003.1371420320.00000000039AD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_fb7a09f1-4
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: This is a third-party compiled AutoIt script.	2_2_00B73D19
Source: schoollike.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: schoollike.exe, 00000002.00000000.1371725260.0000000000C1E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_30cb1e68-2
Source: schoollike.exe, 00000002.00000000.1371725260.0000000000C1E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3b7980e3-3
Source: schoollike.exe, 00000005.00000002.1490413720.0000000000C1E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8839cc64-b
Source: schoollike.exe, 00000005.00000002.1490413720.0000000000C1E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ef8987e7-c
Source: schoollike.exe, 00000007.00000002.1505619498.0000000000C1E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_439b5e7d-d
Source: schoollike.exe, 00000007.00000002.1505619498.0000000000C1E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f05db03c-d
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_468d4966-b
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_56713dca-b
Source: schoollike.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a84553d7-f
Source: schoollike.exe.0.dr	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_288ce56b-3

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe
Source: initial sample	Static PE information: Filename: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00417245 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	3_2_00417245
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,	3_2_0041ACC1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,	3_2_0041ACED

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B479D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	0_2_00B479D3
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BB79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	2_2_00BB79D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,	3_2_004158B9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,	8_2_004158B9

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B2B043	0_2_00B2B043
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B13200	0_2_00B13200
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B3410F	0_2_00B3410F
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B202A4	0_2_00B202A4
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B0E3B0	0_2_00B0E3B0
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B3038E	0_2_00B3038E
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B206D9	0_2_00B206D9
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B3467F	0_2_00B3467F
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B6AACE	0_2_00B6AACE
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B34BEF	0_2_00B34BEF
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B2CCC1	0_2_00B2CCC1
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B06F07	0_2_00B06F07
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B0AF50	0_2_00B0AF50
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B631BC	0_2_00B631BC
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B2D1B9	0_2_00B2D1B9
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B1B11F	0_2_00B1B11F
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B2123A	0_2_00B2123A
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B3724D	0_2_00B3724D
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B093F0	0_2_00B093F0
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B413CA	0_2_00B413CA
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B1F563	0_2_00B1F563
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B096C0	0_2_00B096C0
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B4B6CC	0_2_00B4B6CC
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B077B0	0_2_00B077B0
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B6F7FF	0_2_00B6F7FF
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B379C9	0_2_00B379C9
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B1FA57	0_2_00B1FA57
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B13B70	0_2_00B13B70
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B09B60	0_2_00B09B60
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B07D19	0_2_00B07D19
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B29ED0	0_2_00B29ED0
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B1FE6F	0_2_00B1FE6F
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B07FA3	0_2_00B07FA3
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_012493A0	0_2_012493A0
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B9B043	2_2_00B9B043
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B83200	2_2_00B83200
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BA410F	2_2_00BA410F
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B902A4	2_2_00B902A4
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B7E3B0	2_2_00B7E3B0
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BA038E	2_2_00BA038E
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B906D9	2_2_00B906D9
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BA467F	2_2_00BA467F
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDAACE	2_2_00BDAACE
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BA4BEF	2_2_00BA4BEF
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B9CCC1	2_2_00B9CCC1
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B76F07	2_2_00B76F07
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B7AF50	2_2_00B7AF50
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B9D1B9	2_2_00B9D1B9
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BD31BC	2_2_00BD31BC
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B8B11F	2_2_00B8B11F
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B9123A	2_2_00B9123A
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BA724D	2_2_00BA724D
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B793F0	2_2_00B793F0
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BB13CA	2_2_00BB13CA
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B8F563	2_2_00B8F563
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B796C0	2_2_00B796C0
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BBB6CC	2_2_00BBB6CC
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B777B0	2_2_00B777B0
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDF7FF	2_2_00BDF7FF
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BA79C9	2_2_00BA79C9
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B8FA57	2_2_00B8FA57
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B83B70	2_2_00B83B70
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B79B60	2_2_00B79B60
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B77D19	2_2_00B77D19
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B99ED0	2_2_00B99ED0
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B8FE6F	2_2_00B8FE6F
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B77FA3	2_2_00B77FA3
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00D1A5E8	2_2_00D1A5E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041D071	3_2_0041D071
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004520D2	3_2_004520D2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0043D098	3_2_0043D098
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00437150	3_2_00437150
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004361AA	3_2_004361AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00426254	3_2_00426254
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00431377	3_2_00431377
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0043651C	3_2_0043651C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041E5DF	3_2_0041E5DF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0044C739	3_2_0044C739
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004367C6	3_2_004367C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004267CB	3_2_004267CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0043C9DD	3_2_0043C9DD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00432A49	3_2_00432A49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00436A8D	3_2_00436A8D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0043CC0C	3_2_0043CC0C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00436D48	3_2_00436D48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00434D22	3_2_00434D22
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00426E73	3_2_00426E73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00440E20	3_2_00440E20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0043CE3B	3_2_0043CE3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00412F45	3_2_00412F45
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00452F00	3_2_00452F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00426FAD	3_2_00426FAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_10017194	3_2_10017194
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_1000B5C1	3_2_1000B5C1
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 5_2_015D35F8	5_2_015D35F8
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 7_2_00D53C30	7_2_00D53C30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0041D071	8_2_0041D071
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004520D2	8_2_004520D2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0043D098	8_2_0043D098
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00437150	8_2_00437150
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004361AA	8_2_004361AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00426254	8_2_00426254
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00431377	8_2_00431377
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0043651C	8_2_0043651C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0041E5DF	8_2_0041E5DF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0044C739	8_2_0044C739
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004367C6	8_2_004367C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004267CB	8_2_004267CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0043C9DD	8_2_0043C9DD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00432A49	8_2_00432A49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00436A8D	8_2_00436A8D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0043CC0C	8_2_0043CC0C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00436D48	8_2_00436D48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00434D22	8_2_00434D22
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00426E73	8_2_00426E73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00440E20	8_2_00440E20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0043CE3B	8_2_0043CE3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00412F45	8_2_00412F45
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00452F00	8_2_00452F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00426FAD	8_2_00426FAD

Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: String function: 00B96AC0 appears 42 times
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: String function: 00B8EC2F appears 68 times
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: String function: 00B9F8A0 appears 35 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00444B14 appears 56 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00404C9E appears 32 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 004020E7 appears 79 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00401E8F appears 37 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00401D64 appears 43 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00447174 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 004040BB appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00401F66 appears 100 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00410D8D appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 004338A5 appears 82 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00401FAA appears 42 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00403B40 appears 44 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00433FB0 appears 110 times
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: String function: 00B26AC0 appears 42 times
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: String function: 00B2F8A0 appears 35 times
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: String function: 00B1EC2F appears 68 times

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B3AB84 AdjustTokenPrivileges,CloseHandle,	0_2_00B3AB84
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B3B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00B3B134
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BAAB84 AdjustTokenPrivileges,CloseHandle,	2_2_00BAAB84
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BAB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_00BAB134
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	3_2_00416AB7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	8_2_00416AB7

Source: svchost.exe, 00000003.00000002.3828499169.0000000005F60000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.1590820618.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: svchost.exe, 00000003.00000002.3828499169.0000000005F60000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.3830651470.0000000006600000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.1590820618.0000000000400000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.1570199633.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exe, 00000003.00000002.3828499169.0000000005F60000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.1590820618.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: svchost.exe, 00000003.00000002.3828499169.0000000005F60000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.1590820618.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: svchost.exe, 00000003.00000002.3828499169.0000000005F60000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.1590820618.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchost.exe, 00000003.00000002.3828499169.0000000005F60000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.1590820618.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchost.exe, 0000000C.00000003.1590523594.0000000002B2E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1590454839.0000000002B2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: svchost.exe, 00000003.00000002.3828499169.0000000005F60000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.1590820618.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: unknown	Process created: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe "C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe"
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Process created: C:\Users\user\AppData\Local\penstocks\schoollike.exe "C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe"
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\schoollike.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\penstocks\schoollike.exe "C:\Users\user\AppData\Local\penstocks\schoollike.exe"
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\penstocks\schoollike.exe"
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Process created: C:\Users\user\AppData\Local\penstocks\schoollike.exe "C:\Users\user\AppData\Local\penstocks\schoollike.exe"
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\penstocks\schoollike.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\mtmppeccgqygscehvklzfdreddodq"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\mtmppeccgqygscehvklzfdreddodq"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\wnsiqxnvuzqluislmugbiidvdjfejiom"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ypxsq"
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Process created: C:\Users\user\AppData\Local\penstocks\schoollike.exe "C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\mtmppeccgqygscehvklzfdreddodq"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\mtmppeccgqygscehvklzfdreddodq"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\wnsiqxnvuzqluislmugbiidvdjfejiom"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ypxsq"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\penstocks\schoollike.exe "C:\Users\user\AppData\Local\penstocks\schoollike.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\penstocks\schoollike.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Process created: C:\Users\user\AppData\Local\penstocks\schoollike.exe "C:\Users\user\AppData\Local\penstocks\schoollike.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\penstocks\schoollike.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B26B05 push ecx; ret	0_2_00B26B18
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDC295 push ss; ret	2_2_00BDC29D
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDC2CE push ss; ret	2_2_00BDC2D6
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDC230 push ss; ret	2_2_00BDC231
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDC26B push ss; ret	2_2_00BDC26D
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B96B05 push ecx; ret	2_2_00B96B18
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDBDFE push ss; ret	2_2_00BDBE00
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDBDEA push ss; ret	2_2_00BDBDEB
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDBD75 push ss; ret	2_2_00BDBD7A
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDBD69 push ss; ret	2_2_00BDBD6A
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDBD52 push ss; ret	2_2_00BDBD53
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDBE1E push ss; ret	2_2_00BDBE26
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDBFDD push ss; ret	2_2_00BDBFDF
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDBF30 push ss; ret	2_2_00BDBF32
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDBF73 push ss; ret	2_2_00BDBF7B
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDBF55 push ss; ret	2_2_00BDBF57
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BDBF45 push ss; ret	2_2_00BDBF46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004567E0 push eax; ret	3_2_004567FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0045B9DD push esi; ret	3_2_0045B9E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00463EF3 push ds; retf	3_2_00463EEC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00455EAF push ecx; ret	3_2_00455EC2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00433FF6 push ecx; ret	3_2_00434009
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_10002806 push ecx; ret	3_2_10002819
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 5_2_015D3815 push edi; retf	5_2_015D3820
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 7_2_00D53E4D push edi; retf	7_2_00D53E58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004567E0 push eax; ret	8_2_004567FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0045B9DD push esi; ret	8_2_0045B9E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00463EF3 push ds; retf	8_2_00463EEC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00455EAF push ecx; ret	8_2_00455EC2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00433FF6 push ecx; ret	8_2_00434009

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B68111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00B68111
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B1EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00B1EB42
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00BD8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00BD8111
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B8EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_00B8EB42

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040E54F Sleep,ExitProcess,		3_2_0040E54F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040E54F Sleep,ExitProcess,		8_2_0040E54F

Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	API/Special instruction interceptor: Address: D1A20C
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	API/Special instruction interceptor: Address: 15D321C
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	API/Special instruction interceptor: Address: D53854

Source: C:\Windows\SysWOW64\svchost.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		3_2_004198C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		8_2_004198C2

Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 1616			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 8360			Jump to behavior

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Evaded block: after key decision			graph_0-95663
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Evaded block: after key decision

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	API coverage: 4.6 %
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	API coverage: 4.9 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 5.0 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 7452	Thread sleep count: 1616 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7452	Thread sleep time: -4848000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7452	Thread sleep count: 8360 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7452	Thread sleep time: -25080000s >= -30000s	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe

Source: svchost.exe, 00000003.00000002.3825727194.000000000324C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhv6B95.tmp.12.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: svchost.exe, 00000003.00000002.3825672554.0000000003212000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: wscript.exe, 00000004.00000002.1480229045.000001A6F5D25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\?

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	API call chain: ExitProcess graph end node	graph_0-95443
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_01249230 mov eax, dword ptr fs:[00000030h]	0_2_01249230
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_01249290 mov eax, dword ptr fs:[00000030h]	0_2_01249290
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_01247C10 mov eax, dword ptr fs:[00000030h]	0_2_01247C10
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00D1A4D8 mov eax, dword ptr fs:[00000030h]	2_2_00D1A4D8
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00D1A478 mov eax, dword ptr fs:[00000030h]	2_2_00D1A478
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00D18E58 mov eax, dword ptr fs:[00000030h]	2_2_00D18E58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00442554 mov eax, dword ptr fs:[00000030h]	3_2_00442554
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_10004AB4 mov eax, dword ptr fs:[00000030h]	3_2_10004AB4
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 5_2_015D34E8 mov eax, dword ptr fs:[00000030h]	5_2_015D34E8
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 5_2_015D1E68 mov eax, dword ptr fs:[00000030h]	5_2_015D1E68
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 5_2_015D3488 mov eax, dword ptr fs:[00000030h]	5_2_015D3488
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 7_2_00D53AC0 mov eax, dword ptr fs:[00000030h]	7_2_00D53AC0
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 7_2_00D53B20 mov eax, dword ptr fs:[00000030h]	7_2_00D53B20
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 7_2_00D524A0 mov eax, dword ptr fs:[00000030h]	7_2_00D524A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00442554 mov eax, dword ptr fs:[00000030h]	8_2_00442554

Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B281AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B281AC
Source: C:\Users\user\Desktop\RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe	Code function: 0_2_00B28189 SetUnhandledExceptionFilter,	0_2_00B28189
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B981AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00B981AC
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Code function: 2_2_00B98189 SetUnhandledExceptionFilter,	2_2_00B98189
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00434168
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0043A65D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00433B44
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00433CD7 SetUnhandledExceptionFilter,	3_2_00433CD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_100060E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_10002639
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_10002B1C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00434168
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0043A65D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00433B44
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00433CD7 SetUnhandledExceptionFilter,	8_2_00433CD7

Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2E7C008			Jump to behavior
Source: C:\Users\user\AppData\Local\penstocks\schoollike.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2C38008			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		3_2_00410F36
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		8_2_00410F36

Source: svchost.exe, 00000003.00000002.3825672554.0000000003212000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerProgram Manager
Source: svchost.exe, 00000003.00000002.3825672554.0000000003212000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe, schoollike.exe	Binary or memory string: Shell_TrayWnd
Source: RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exe, schoollike.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: svchost.exe, 00000003.00000002.3825727194.0000000003230000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3825672554.0000000003212000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,	3_2_0040E679
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	3_2_004470AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	3_2_004510BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_004511E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	3_2_004512EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_004513B7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	3_2_00447597
Source: C:\Windows\SysWOW64\svchost.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_00450A7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	3_2_00450CF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	3_2_00450D42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	3_2_00450DDD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00450E6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	8_2_004470AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	8_2_004510BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_004511E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	8_2_004512EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_004513B7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	8_2_00447597
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,	8_2_0040E679
Source: C:\Windows\SysWOW64\svchost.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	8_2_00450A7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	8_2_00450CF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	8_2_00450D42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	8_2_00450DDD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_00450E6A

Source: C:\Windows\SysWOW64\svchost.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		3_2_0040B21B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		8_2_0040B21B