Edit tour

Windows Analysis Report
03262025_Distribution Notice.exe

Overview

General Information

Sample name:	03262025_Distribution Notice.exe
Analysis ID:	1629278
MD5:	4864a55cff27f686023456a22371e790
SHA1:	6ed30c0371fe167d38411bfa6d720fcdcacc4f4c
SHA256:	08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Confidence:	100%

Compliance

Score:	46
Range:	0 - 100

Signatures

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Drops PE files to the document folder of the user

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Uses dynamic DNS services

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w7x64

03262025_Distribution Notice.exe (PID: 3560 cmdline: "C:\Users\user\Desktop\03262025_Distribution Notice.exe" MD5: 4864A55CFF27F686023456A22371E790)

03262025_Distribution Notice.exe (PID: 3696 cmdline: "C:\Users\user\Desktop\03262025_Distribution Notice.exe" MD5: 4864A55CFF27F686023456A22371E790)

cmd.exe (PID: 3728 cmdline: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\JavaUpdater943034.dll",EntryPoint /f & exit MD5: AD7B9C14083B52BC532FBA5948342B98)

reg.exe (PID: 3748 cmdline: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\JavaUpdater943034.dll",EntryPoint /f MD5: D69A9ABBB0D795F21995C2F48C1EB560)

rundll32.exe (PID: 3796 cmdline: "C:\Windows\system32\rundll32.exe" C:\Users\user\Documents\JavaUpdater943034.dll,EntryPoint MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 3808 cmdline: "C:\Windows\system32\rundll32.exe" C:\Users\user\Documents\JavaUpdater943034.dll,EntryPoint MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 3884 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 3840 cmdline: "C:\Windows\system32\rundll32.exe" C:\Users\user\Documents\JavaUpdater943034.dll,EntryPoint MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 3848 cmdline: "C:\Windows\system32\rundll32.exe" C:\Users\user\Documents\JavaUpdater943034.dll,EntryPoint MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 3940 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["demo2025project.duckdns.org:30360:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MB2LKE", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
00000002.00000002.910038572.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.528588928.00000000005B1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
0000000C.00000002.562253767.00000000003D1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
Process Memory Space: 03262025_Distribution Notice.exe PID: 3560	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: 03262025_Distribution Notice.exe PID: 3560	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: 03262025_Distribution Notice.exe PID: 3560	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: 03262025_Distribution Notice.exe PID: 3560	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x2bfccc:$a1: Remcos restarted by watchdog! 0xb927fb:$a1: Remcos restarted by watchdog! 0x2c0321:$a3: %02i:%02i:%02i:%03i 0x2c075e:$a3: %02i:%02i:%02i:%03i 0xb92e4f:$a3: %02i:%02i:%02i:%03i 0xb9328c:$a3: %02i:%02i:%02i:%03i
Process Memory Space: 03262025_Distribution Notice.exe PID: 3696	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: 03262025_Distribution Notice.exe PID: 3696	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: 03262025_Distribution Notice.exe PID: 3696	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: 03262025_Distribution Notice.exe PID: 3696	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x4fdac:$a1: Remcos restarted by watchdog! 0x50400:$a3: %02i:%02i:%02i:%03i 0x5083d:$a3: %02i:%02i:%02i:%03i
Click to see the 60 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.rundll32.exe.90000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
12.2.rundll32.exe.90000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.rundll32.exe.90000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.rundll32.exe.90000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
12.2.rundll32.exe.90000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
12.2.rundll32.exe.90000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
2.2.03262025_Distribution Notice.exe.1c0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.03262025_Distribution Notice.exe.1c0000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2.03262025_Distribution Notice.exe.1c0000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.03262025_Distribution Notice.exe.1c0000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
2.2.03262025_Distribution Notice.exe.1c0000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
2.2.03262025_Distribution Notice.exe.1c0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
7.2.rundll32.exe.270000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.rundll32.exe.270000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.rundll32.exe.270000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
7.2.rundll32.exe.270000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
7.2.rundll32.exe.270000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
7.2.rundll32.exe.270000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
7.2.rundll32.exe.270000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.rundll32.exe.270000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.rundll32.exe.270000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
7.2.rundll32.exe.270000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a358:$a1: Remcos restarted by watchdog! 0x6a9a8:$a3: %02i:%02i:%02i:%03i
7.2.rundll32.exe.270000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x645f4:$str_a1: C:\Windows\System32\cmd.exe 0x64570:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64570:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x650d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64664:$str_b2: Executing file: 0x6549c:$str_b3: GetDirectListeningPort 0x64ec8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65048:$str_b7: \update.vbs 0x6468c:$str_b9: Downloaded file: 0x64678:$str_b10: Downloading file: 0x6471c:$str_b12: Failed to upload file: 0x65464:$str_b13: StartForward 0x65484:$str_b14: StopForward 0x64fa0:$str_b15: fso.DeleteFile " 0x64f34:$str_b16: On Error Resume Next 0x64fd0:$str_b17: fso.DeleteFolder " 0x6470c:$str_b18: Uploaded file: 0x646cc:$str_b19: Unable to delete: 0x64f68:$str_b20: while fso.FileExists(" 0x64ba9:$str_c0: [Firefox StoredLogins not found]
7.2.rundll32.exe.270000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x644e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64478:$s1: CoGetObject 0x6448c:$s1: CoGetObject 0x644a8:$s1: CoGetObject 0x6e256:$s1: CoGetObject 0x64438:$s2: Elevation:Administrator!new:
9.2.rundll32.exe.8b0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.2.rundll32.exe.8b0000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.rundll32.exe.8b0000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.rundll32.exe.8b0000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a358:$a1: Remcos restarted by watchdog! 0x6a9a8:$a3: %02i:%02i:%02i:%03i
9.2.rundll32.exe.8b0000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x645f4:$str_a1: C:\Windows\System32\cmd.exe 0x64570:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64570:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x650d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64664:$str_b2: Executing file: 0x6549c:$str_b3: GetDirectListeningPort 0x64ec8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65048:$str_b7: \update.vbs 0x6468c:$str_b9: Downloaded file: 0x64678:$str_b10: Downloading file: 0x6471c:$str_b12: Failed to upload file: 0x65464:$str_b13: StartForward 0x65484:$str_b14: StopForward 0x64fa0:$str_b15: fso.DeleteFile " 0x64f34:$str_b16: On Error Resume Next 0x64fd0:$str_b17: fso.DeleteFolder " 0x6470c:$str_b18: Uploaded file: 0x646cc:$str_b19: Unable to delete: 0x64f68:$str_b20: while fso.FileExists(" 0x64ba9:$str_c0: [Firefox StoredLogins not found]
9.2.rundll32.exe.8b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x644e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64478:$s1: CoGetObject 0x6448c:$s1: CoGetObject 0x644a8:$s1: CoGetObject 0x6e256:$s1: CoGetObject 0x64438:$s2: Elevation:Administrator!new:
0.2.03262025_Distribution Notice.exe.2690000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.03262025_Distribution Notice.exe.2690000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.03262025_Distribution Notice.exe.2690000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.03262025_Distribution Notice.exe.2690000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a358:$a1: Remcos restarted by watchdog! 0x6a9a8:$a3: %02i:%02i:%02i:%03i
0.2.03262025_Distribution Notice.exe.2690000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x645f4:$str_a1: C:\Windows\System32\cmd.exe 0x64570:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64570:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x650d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64664:$str_b2: Executing file: 0x6549c:$str_b3: GetDirectListeningPort 0x64ec8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65048:$str_b7: \update.vbs 0x6468c:$str_b9: Downloaded file: 0x64678:$str_b10: Downloading file: 0x6471c:$str_b12: Failed to upload file: 0x65464:$str_b13: StartForward 0x65484:$str_b14: StopForward 0x64fa0:$str_b15: fso.DeleteFile " 0x64f34:$str_b16: On Error Resume Next 0x64fd0:$str_b17: fso.DeleteFolder " 0x6470c:$str_b18: Uploaded file: 0x646cc:$str_b19: Unable to delete: 0x64f68:$str_b20: while fso.FileExists(" 0x64ba9:$str_c0: [Firefox StoredLogins not found]
0.2.03262025_Distribution Notice.exe.2690000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x644e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64478:$s1: CoGetObject 0x6448c:$s1: CoGetObject 0x644a8:$s1: CoGetObject 0x6e256:$s1: CoGetObject 0x64438:$s2: Elevation:Administrator!new:
10.2.rundll32.exe.90000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.rundll32.exe.90000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.rundll32.exe.90000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.rundll32.exe.90000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
10.2.rundll32.exe.90000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
10.2.rundll32.exe.90000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
9.2.rundll32.exe.8b0000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.2.rundll32.exe.8b0000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.rundll32.exe.8b0000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.rundll32.exe.8b0000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
9.2.rundll32.exe.8b0000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
9.2.rundll32.exe.8b0000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
7.2.rundll32.exe.410000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.rundll32.exe.410000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.rundll32.exe.410000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
7.2.rundll32.exe.410000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
7.2.rundll32.exe.410000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
7.2.rundll32.exe.410000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
10.2.rundll32.exe.90000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.rundll32.exe.90000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.rundll32.exe.90000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.rundll32.exe.90000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
10.2.rundll32.exe.90000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
10.2.rundll32.exe.90000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
0.2.03262025_Distribution Notice.exe.2790000.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.03262025_Distribution Notice.exe.2790000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.03262025_Distribution Notice.exe.2790000.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.03262025_Distribution Notice.exe.2790000.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
0.2.03262025_Distribution Notice.exe.2790000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
0.2.03262025_Distribution Notice.exe.2790000.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
7.2.rundll32.exe.410000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.rundll32.exe.410000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.rundll32.exe.410000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
7.2.rundll32.exe.410000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
7.2.rundll32.exe.410000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
7.2.rundll32.exe.410000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
9.2.rundll32.exe.960000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.2.rundll32.exe.960000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.rundll32.exe.960000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.rundll32.exe.960000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
9.2.rundll32.exe.960000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
9.2.rundll32.exe.960000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
12.2.rundll32.exe.90000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
12.2.rundll32.exe.90000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.rundll32.exe.90000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.rundll32.exe.90000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
12.2.rundll32.exe.90000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
12.2.rundll32.exe.90000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
9.2.rundll32.exe.960000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.2.rundll32.exe.960000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.rundll32.exe.960000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.rundll32.exe.960000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
9.2.rundll32.exe.960000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
9.2.rundll32.exe.960000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
Click to see the 103 entries

Sigma Signatures

System Summary

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\rundll32.exe", CommandLine: "C:\Windows\SysWOW64\rundll32.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: "C:\Windows\system32\rundll32.exe" C:\Users\user\Documents\JavaUpdater943034.dll,EntryPoint, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 3808, ParentProcessName: rundll32.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rundll32.exe", ProcessId: 3884, ProcessName: rundll32.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Users\user\Documents\JavaUpdater943034.dll,EntryPoint, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 3748, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Palo Alto Network Sensor

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\JavaUpdater943034.dll",EntryPoint /f , CommandLine: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\JavaUpdater943034.dll",EntryPoint /f , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\JavaUpdater943034.dll",EntryPoint /f & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3728, ParentProcessName: cmd.exe, ProcessCommandLine: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\JavaUpdater943034.dll",EntryPoint /f , ProcessId: 3748, ProcessName: reg.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\JavaUpdater943034.dll",EntryPoint /f & exit, CommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\JavaUpdater943034.dll",EntryPoint /f & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\03262025_Distribution Notice.exe", ParentImage: C:\Users\user\Desktop\03262025_Distribution Notice.exe, ParentProcessId: 3560, ParentProcessName: 03262025_Distribution Notice.exe, ProcessCommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\JavaUpdater943034.dll",EntryPoint /f & exit, ProcessId: 3728, ProcessName: cmd.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: F0 C9 77 4A E4 D9 A3 24 73 46 D0 EA 9A 25 A6 B9 8C 31 4B CF 42 3C 5A EF 6B 0C 20 5C 16 B2 C0 A6 63 47 34 24 64 87 AC E2 9A 32 CA 88 D3 EC 07 90 14 B8 B0 04 F3 6E DB 6C 92 19 76 DB 0D CF EB B7 06 71 9F 9A EA 82 E0 CE 6D 05 6C 61 54 E7 F0 79 D7 7D 9B 1B BD 35 0A 03 47 79 B1 D0 FF A9 77 2D 00 CF EB 0E A8 2F 9F 71 27 EF C9 60 3C C0 25 C7 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\03262025_Distribution Notice.exe, ProcessId: 3696, TargetObject: HKEY_CURRENT_USER\Software\Rmc-MB2LKE\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T15:38:14.033178+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49165	45.74.46.7	30360	TCP
2025-03-04T15:38:36.705672+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49166	45.74.46.7	30360	TCP
2025-03-04T15:38:59.799363+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49167	45.74.46.7	30360	TCP
2025-03-04T15:39:40.238555+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49168	45.74.46.7	30360	TCP
2025-03-04T15:40:11.132694+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49169	45.74.46.7	30360	TCP
2025-03-04T15:40:40.041410+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49170	45.74.46.7	30360	TCP
2025-03-04T15:41:03.004695+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49171	45.74.46.7	30360	TCP
2025-03-04T15:41:28.837338+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49172	45.74.46.7	30360	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: demo2025project.duckdns.org

Avira URL Cloud: Label: malware

Found malware configuration

Source: 7.2.rundll32.exe.270000.0.raw.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["demo2025project.duckdns.org:30360:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MB2LKE", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.03262025_Distribution Notice.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2790000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.960000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.960000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.910038572.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.528588928.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.562253767.00000000003D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 03262025_Distribution Notice.exe PID: 3560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 03262025_Distribution Notice.exe PID: 3696, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.9% probability

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001F3B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		2_2_001F3B64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000C3B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		10_2_000C3B64

Source: 03262025_Distribution Notice.exe, 00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_e1afed75-b

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 12.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.03262025_Distribution Notice.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2790000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.960000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.960000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 03262025_Distribution Notice.exe PID: 3560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 03262025_Distribution Notice.exe PID: 3696, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001C6ABC _wcslen,CoGetObject,		2_2_001C6ABC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00096ABC _wcslen,CoGetObject,		10_2_00096ABC

Compliance

Uses 32bit PE files

Source: 03262025_Distribution Notice.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: 03262025_Distribution Notice.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Source:	Binary string: d:\SDK\WebRender\Berkelium\win32\berkelium.pdb source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000004329000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.0000000011B0A000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: /app/crashsubmit?appname=SumatraPDFhttp://www.haihaisoft.comlibmupdf.pdbSumatraPDF.pdbSumatraPDF-prereleaseSumatraPDF.pdbSumatraPDF-1.5.3.0.pdbSumatraPDF.pdblibmupdf.pdbSumatraPDF-no-MuPDF.pdbhttp://kjkpub.s3.amazonaws.com/sumatrapdf/prerel/SumatraPDF-prerelease-SVN_PRE_RELEASE_VER.pdb.zipsymbols_tmp.ziphttp://kjkpub.s3.amazonaws.com/sumatrapdf/rel/SumatraPDF-1.5.3.0.pdb.zipsymbols_tmp.zipSUMATRAPDF_FULLDUMPHaihaisoft PDF Reader crashedSorry, that shouldn't have happened! source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: SumatraPDF-no-MuPDF.pdb source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: SumatraPDF-1.5.3.0.pdb source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: mail.pdb.se source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: xOdx>a0m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: libmupdf.pdb source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp

Spreading

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001C90DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	2_2_001C90DC
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001CB6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_001CB6B5
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001DC7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	2_2_001DC7E5
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001CB8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	2_2_001CB8BA
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_0020E989 FindFirstFileExA,	2_2_0020E989
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001C8CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	2_2_001C8CDE
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001D9CEE FindFirstFileW,FindNextFileW,FindNextFileW,	2_2_001D9CEE
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001C7EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	2_2_001C7EDD
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001C6F13 FindFirstFileW,FindNextFileW,	2_2_001C6F13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000990DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	10_2_000990DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0009B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	10_2_0009B6B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000AC7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	10_2_000AC7E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0009B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	10_2_0009B8BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000DE989 FindFirstFileExA,	10_2_000DE989
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00098CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	10_2_00098CDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000A9CEE FindFirstFileW,FindNextFileW,FindNextFileW,	10_2_000A9CEE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00097EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	10_2_00097EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00096F13 FindFirstFileW,FindNextFileW,	10_2_00096F13

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001C7357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

2_2_001C7357

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49171 -> 45.74.46.7:30360
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49170 -> 45.74.46.7:30360
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49169 -> 45.74.46.7:30360
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49168 -> 45.74.46.7:30360
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49165 -> 45.74.46.7:30360
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49167 -> 45.74.46.7:30360
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49166 -> 45.74.46.7:30360
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49172 -> 45.74.46.7:30360

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: demo2025project.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: demo2025project.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 45.74.46.7:30360

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001E7321 recv,

2_2_001E7321

Source: rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: !pogodok.com.mkhttp://www.pogodok.com.mk/favicon.icohttp://www.pogodok.com.mk/search.jsp?q={searchTerms}Ramblerrambler.ruhttp://www.rambler.ru/favicon.icohttp://www.rambler.ru/srch?words={searchTerms}Rediffrediff.comhttp://search1.rediff.com/favicon.icohttp://search1.rediff.com/dirsrch/default.asp?MT={searchTerms}Rednanorednano.sghttp://rednano.sg/favicon.icohttp://rednano.sg/sfe/lwi.action?querystring={searchTerms}* equals www.rambler.ru (Rambler)
Source: rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: !walla.co.ilhttp://www.walla.co.il/favicon.icohttp://search.walla.co.il/?e=hew&q={searchTerms}Wirtualna Polskawp.plhttp://szukaj.wp.pl/favicon.icohttp://szukaj.wp.pl/szukaj.html?szukaj={searchTerms}Yahoo!yahoo.comhttp://search.yahoo.com/search?ei={inputEncoding}&fr=crmas&p={searchTerms}http://ff.search.yahoo.com/gossip?output=fxjson&command={searchTerms}Yahoo! Argentinaar.yahoo.comhttp://ar.search.yahoo.com/favicon.icohttp://ar.search.yahoo.com/search?ei={inputEncoding}&fr=crmas&p={searchTerms}http://ar-sayt.ff.search.yahoo.com/gossip-ar-sayt?output=fxjson&command={searchTerms}Yahoo! Sucheat.yahoo.comhttp://at.search.yahoo.com/favicon.icohttp://at.search.yahoo.com/search?ei={inputEncoding}&fr=crmas&p={searchTerms}Yahoo!7au.yahoo.comhttp://au.search.yahoo.com/favicon.icohttp://au.search.yahoo.com/search?ei={inputEncoding}&fr=crmas&p={searchTerms}http://aue-sayt.ff.search.yahoo.com/gossip-au-sayt?output=fxjson&command={searchTerms}Yahoo! Brasilbr.yahoo.comhttp://br.search.yahoo.com/favicon.icohttp://br.search.yahoo.com/search?ei={inputEncoding}&fr=crmas&p={searchTerms}http://br-sayt.ff.search.yahoo.com/gossip-br-sayt?output=fxjson&command={searchTerms}Yahoo! Canadaca.yahoo.comhttp://ca.search.yahoo.com/favicon.icohttp://ca.search.yahoo.com/search?ei={inputEncoding}&fr=crmas&p={searchTerms}http://gossip.ca.yahoo.com/gossip-ca-sayt?output=fxjsonp&command={searchTerms}ch.yahoo.comhttp://ch.search.yahoo.com/favicon.icohttp://ch.search.yahoo.com/search?ei={inputEncoding}&fr=crmas&p={searchTerms}Yahoo! Chilecl.yahoo.comhttp://cl.search.yahoo.com/favicon.icohttp://cl.search.yahoo.com/search?ei={inputEncoding}&fr=crmas&p={searchTerms}http://gossip.telemundo.yahoo.com/gossip-e1-sayt?output=fxjson&command={searchTerms}-N equals www.yahoo.com (Yahoo)
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: Untitled.\browser\ui\views\constrained_window_win.cchttp://www.wolframalpha.com/http://www.ask.com/http://www.altavista.com/http://www.bing.com/http://www.yahoo.com/^T equals www.yahoo.com (Yahoo)
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico equals www.rambler.ru (Rambler)
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: t Namvn.yahoo.comhttp://vn.search.yahoo.com/favicon.icohttp://vn.search.yahoo.com/search?ei={inputEncoding}&fr=crmas&p={searchTerms}http://vn-sayt.ff.search.yahoo.com/gossip-vn-sayt?output=fxjson&command={searchTerms}Yamliyamli.comhttp://www.yamli.com/favicon.icohttp://www.yamli.com/#q={searchTerms}/ equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: demo2025project.duckdns.org

Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003EB6000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.0000000011697000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: ftp://http://%.20s%ddefault%d%.20scopying
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: ftp://www.ftp://ftp.http://www.https://www.HistoryURLCheck
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://.google.com/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http:///suggest.fulltext.seznam.cz/?dict=fulltext_ff&phrase=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://1.im.cz/szn/img/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://1.im.cz/szn/img/favicon.icohttp://search.seznam.cz/?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://abcsok.no/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://abcsok.no/favicon.icohttp://abcsok.no/index.html?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ac.search.naver.com/autocompl?m=s&ie=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ar-sayt.ff.search.yahoo.com/gossip-ar-sayt?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ar.altavista.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ar.altavista.com/favicon.icohttp://ar.altavista.com/web/results?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ar.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ar.search.yahoo.com/favicon.icohttp://ar.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://araby.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://araby.com/favicon.icohttp://araby.com/?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://at.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://at.search.yahoo.com/favicon.icohttp://at.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://au.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://au.search.yahoo.com/favicon.icohttp://au.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://aue-sayt.ff.search.yahoo.com/gossip-au-sayt?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://aue-sayt.ff.search.yahoo.com/gossip-nz-sayt?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://br-sayt.ff.search.yahoo.com/gossip-br-sayt?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://br.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://br.search.yahoo.com/favicon.icohttp://br.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.icohttp://busca.uol.com.br/www/index.html?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://buscador.terra.es/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://buscador.terra.es/favicon.icohttp://buscador.terra.es/Default.aspx?query=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://buscar.hispavista.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://buscar.terra.com.ar/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://buscar.terra.com.ar/favicon.icohttp://buscar.terra.com.ar/Default.aspx?query=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ca.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ca.search.yahoo.com/favicon.icohttp://ca.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://cache.pack.google.com/edgedl/chrome/dict/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://cache.pack.google.com/edgedl/chrome/dict/Check
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://caminobrowser.org/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://casper.beckman.uiuc.edu/~c-tsai4
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ch.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ch.search.yahoo.com/favicon.icohttp://ch.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://chasen.aist-nara.ac.jp/chasen/distribution.html
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://chromecertcheck.appspot.com/upload
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://chromecertcheck.appspot.com/uploadx-application/chrome-cert-provenance-reportCheck
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://cl.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://cl.search.yahoo.com/favicon.icohttp://cl.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cn.haihaisoft.comhttp://www.haihaisoft.comcnhttp://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://co.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://co.search.yahoo.com/favicon.icohttp://co.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/chromium/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/p/angleproject/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/p/chromium-os/issues/detail?id=916.
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/p/chromium/issues/entry?
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/p/data-race-test/wiki/DynamicAnnotations
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/p/google-cache-invalidation-api/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/p/google-glog/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/p/google-jstemplate/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/p/google-safe-browsing/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/p/google-toolbox-for-mac/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/p/libjingle/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/p/mongoose/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/p/ots/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/p/pdfsqueeze/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/p/ppapi/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/p/pyftpdlib/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/p/pywebsocket/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/p/skia
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://code.google.com/speed/webp
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://crbug.com/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://crbug.com/13215
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://crbug.com/13216
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://crbug.com/21433
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://crbug.com/25329
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://crbug.com/40902
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://crbug.com/44982).
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://crbug.com/70930
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://crbug.com/73730
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://creativecommons.org/licenses/by-sa/3.0
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://de-sayt.ff.search.yahoo.com/gossip-de-sayt?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://de.ask.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://de.ask.com/favicon.icohttp://de.ask.com/web?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://de.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://de.search.yahoo.com/favicon.icohttp://de.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://dev.chromium.org/dnscertprovenancechecking
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://dev.chromium.org/dnscertprovenancecheckingpN
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://developer.apple.com/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://dk.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://dk.search.yahoo.com/favicon.icohttp://dk.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://download.divx.com/divx/autoupdate/player/DivXWebPlayerInstaller.exe
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://downloads.xiph.org/releases/speex/speex-1.2rc1.tar.gz
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://eniro.fi/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://eniro.se/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://es-sayt.ff.search.yahoo.com/gossip-es-sayt?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://es.ask.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://es.ask.com/favicon.icohttp://es.ask.com/web?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://es.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://es.search.yahoo.com/favicon.icohttp://es.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://etherx.jabber.org/streams
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://etherx.jabber.org/streamsurn:ietf:params:xml:ns:xmpp-streamsurn:ietf:params:xml:ns:xmpp-tlsur
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ff.search.yahoo.com/gossip?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ffmpeg.org/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://fi.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://fi.search.yahoo.com/favicon.icohttp://fi.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://fr-sayt.ff.search.yahoo.com/gossip-fr-sayt?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://fr.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://fr.search.yahoo.com/favicon.icohttp://fr.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://freedesktop.org/wiki/Software/HarfBuzz
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://fsf.org/>
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://git.berlios.de/cgi-bin/gitweb.cgi?p=gpsd;a=summary
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://goo.ne.jp/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://google-perftools.googlecode.com/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://gossip.ca.yahoo.com/gossip-ca-sayt?output=fxjsonp&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://gossip.mx.yahoo.com/gossip-mx-sayt?output=fxjsonp&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://gossip.telemundo.yahoo.com/gossip-e1-sayt?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://guruji.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://hg.mozilla.org/mozilla-central/src/memory
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://hg.mozilla.org/mozilla-central/tools/codesighs
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://hk.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://hk.search.yahoo.com/favicon.icohttp://hk.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://hunspell.sourceforge.net/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://i.dir.bg/diri/images/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://id-sayt.ff.search.yahoo.com/gossip-id-sayt?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://id.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://id.search.yahoo.com/favicon.icohttp://id.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.icohttp://search.atlas.cz/?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://img.centrum.cz/6/vy2/o/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://img.centrum.sk/4/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://img.go.mail.ru/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://img.mynet.com/mynetfavori.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://img.mynet.com/mynetfavori.icohttp://arama.mynet.com/search.aspx?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://imgs.sapo.pt/images/sapo.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://imgs.sapo.pt/images/sapo.icohttp://pesquisa.sapo.pt/?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://in-sayt.ff.search.yahoo.com/gossip-in-sayt?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://in.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://in.search.yahoo.com/favicon.icohttp://in.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://it-sayt.ff.search.yahoo.com/gossip-it-sayt?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://it.ask.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://it.ask.com/favicon.icohttp://it.ask.com/web?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://it.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://it.search.yahoo.com/favicon.icohttp://it.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://itexmac.sourceforge.net/SyncTeX.htmlJ
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://jabber.org/protocol/caps
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://jabber.org/protocol/chatstates
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://jabber.org/protocol/disco#info
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://jabber.org/protocol/disco#items
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://jabber.org/protocol/muc#user
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://jabber.org/protocol/nick
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://kb.eset.com/esetkb/index?page=content&id=SOLN2588
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://kr.atc.search.yahoo.com/atcx.php?property=main&ot=fxjson&ei=utf8&eo=utf8&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://kr.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://kr.search.yahoo.com/favicon.icohttp://kr.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://latne.lv/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://leit.is/leit.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://libpng.org/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://linkhelp.clients.google.com/tbproxy/lh/fixurl
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://linkhelp.clients.google.com/tbproxy/lh/fixurlhl.
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ltp.sourceforge.net/coverage/lcov.php
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://lxr.mozilla.org/mozilla/source/other-licenses/bsdiff/bsdiff.c
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://lxr.mozilla.org/mozilla/source/toolkit/mozapps/update/src/updater/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://mailto:EmbeddedFilesTypeFilespecD%s%dR%s%sA%s%sKids.seen.seen.seenNumsSPStD%s.%d:%d:%dInfoPag
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://malaysia.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://malaysia.search.yahoo.com/favicon.icohttp://malaysia.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://modp.com/release/base64
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://modp.com/release/base64/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://mx.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://mx.search.yahoo.com/favicon.icohttp://mx.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://mxr.mozilla.org/mozilla-central/source/gfx/qcms/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://mxr.mozilla.org/mozilla-central/source/modules/plugin/base/public/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://mxr.mozilla.org/mozilla-central/source/security/manager/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://my-sayt.ff.search.yahoo.com/gossip-my-sayt?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://nate.search.empas.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://nate.search.empas.com/favicon.icohttp://nate.search.empas.com/search/all.html?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://netsprint.pl/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://netsprint.pl/favicon.icohttp://www.netsprint.pl/serwis/search?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://nl.ask.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://nl.ask.com/favicon.icohttp://nl.ask.com/web?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://nl.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://nl.search.yahoo.com/favicon.icohttp://nl.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://no.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://no.search.yahoo.com/favicon.icohttp://no.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://nz.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://nz.search.yahoo.com/favicon.icohttp://nz.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ok.hu/gfx/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ok.hu/gfx/favicon.icohttp://ok.hu/katalogus?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://opengles-book.com/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://openssl.org/source/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://other.com/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://pe.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://pe.search.yahoo.com/favicon.icohttp://pe.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://people.ubuntu.com/~fta/chromium/translations/trunk/patched-files/chrome/app/resources/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://pesquisa.sapo.pt/livesapo?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ph-sayt.ff.search.yahoo.com/gossip-ph-sayt?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ph.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ph.search.yahoo.com/favicon.icohttp://ph.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://portland.freedesktop.org/wiki/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://projects.gnome.org/gtksourceview/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://protobuf.googlecode.com/svn/trunk
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://qc.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://qc.search.yahoo.com/favicon.icohttp://qc.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://rednano.sg/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://rednano.sg/favicon.icohttp://rednano.sg/sfe/lwi.action?querystring=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003EB6000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.0000000011697000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003EB6000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.0000000011697000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://relaxng.org/ns/structure/1.0allocating
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ricerca.alice.it/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ricerca.alice.it/favicon.icohttp://ricerca.alice.it/ricerca?qs=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ru.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ru.search.yahoo.com/favicon.icohttp://ru.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://safari.informit.com/9780321563835
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://safebrowsing.clients.google.com/safebrowsing
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=%s&client=chromium
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://se.altavista.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://se.altavista.com/favicon.icohttp://se.altavista.com/web/results?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://se.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://se.search.yahoo.com/favicon.icohttp://se.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://search.aol.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://search.aol.com/favicon.icohttp://search.aol.com/aol/search?query=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://search.cn.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://search.cn.yahoo.com/favicon.icohttp://search.cn.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://search.delfi.lt/img/favicon.png
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://search.jubii.dk/favicon_jubii.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://search.naver.com/favicon.icohttp://search.naver.com/search.naver?ie=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://search.sanook.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://search.sanook.com/favicon.icohttp://search.sanook.com/search.php?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.icohttp://search.yahoo.co.jp/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://search1.rediff.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://search1.rediff.com/favicon.icohttp://search1.rediff.com/dirsrch/default.asp?MT=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://selenium.googlecode.com/svn/trunk/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://seleniumhq.org
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://sg-sayt.ff.search.yahoo.com/gossip-sg-sayt?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://sg.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://sg.search.yahoo.com/favicon.icohttp://sg.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://site.icu-project.org/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://sites.google.com/a/chromium.org/dev/err_ssl_weak_server_ephemeral_dh_key
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://smart.delfi.lv/img/smart_search.png
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://sourceforge.net/projects/expat/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://sourceforge.net/projects/hunspell/files/Hyphen/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://sourceforge.net/projects/libjpeg-turbo/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://sqlite.org/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/icu42/source/data/brkitr/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/xz/COPYING
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/chrome/trunk/src/third_party/cld/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/chrome/trunk/src/third_party/cld/languages/internal/languages.cc
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://srtp.sourceforge.net
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ss.ask.com/query?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ss.de.ask.com/query?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ss.es.ask.com/query?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ss.it.ask.com/query?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ss.nl.ask.com/query?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ss.uk.ask.com/query?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://szukaj.onet.pl/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://szukaj.onet.pl/favicon.icohttp://szukaj.onet.pl/query.html?qt=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://szukaj.wp.pl/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://szukaj.wp.pl/favicon.icohttp://szukaj.wp.pl/szukaj.html?szukaj=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://talloc.samba.org/talloc/doc/html/index.html
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://th-sayt.ff.search.yahoo.com/gossip-th-sayt?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://th.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://th.search.yahoo.com/favicon.icohttp://th.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://toolbarqueries.clients.google.com:80/tbproxy/af/query
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://toolbarqueries.clients.google.com:80/tbproxy/af/upload
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://toolbarqueries.clients.google.com:80/tbproxy/af/uploadhttp://toolbarqueries.clients.google.co
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://translate.google.com/translate_a/element.js?cb=cr.googleTranslate.onTranslateElementLoad
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://translate.google.com/translate_error
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://translate.google.com/translate_errorGoogle-Translate-Element-Mode:
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://trevp.net/tlslite/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://tukaani.org/xz/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://tw.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://tw.search.yahoo.com/favicon.icohttp://tw.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://uk-sayt.ff.search.yahoo.com/gossip-uk-sayt?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://uk.ask.com/favicon.icohttp://uk.ask.com/web?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://uk.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://uk.search.yahoo.com/favicon.icohttp://uk.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://undefined.org/python/#simplejson
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://url.handled.by.fake.dns/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://url.handled.by.slow.download/download-finish
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://url.handled.by.slow.download/download-known-size
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://url.handled.by.slow.download/download-unknown-size
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://url.handled.by.slow.download/download-unknown-sizehttp://url.handled.by.slow.download/downloa
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://valgrind.org
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ve.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://ve.search.yahoo.com/favicon.icohttp://ve.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://vn-sayt.ff.search.yahoo.com/gossip-vn-sayt?output=fxjson&command=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://vn.search.yahoo.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://vn.search.yahoo.com/favicon.icohttp://vn.search.yahoo.com/search?ei=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://webkit.org/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://wiki.greasespot.net/Greasemonkey_Manual:APIs
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://wiki.services.openoffice.org/wiki/Dictionaries
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://wpad/wpad.dat
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://wpad/wpad.dat.
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www-01.ibm.com/software/awdtools/purify/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.02.fi/img/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.7-zip.org/sdk.html
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.altavista.com/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.altavista.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.altavista.com/favicon.icohttp://www.altavista.com/web/results?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Digitized
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.apple.com/legal/guidelinesfor3rdparties.html.
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.apple.com/quicktime/download/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensed
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.ask.com/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.ask.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.ask.com/favicon.icohttp://www.ask.com/web?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.atlas.sk/images/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.atlas.sk/images/favicon.icohttp://hladaj.atlas.sk/fulltext/?phrase=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.bzip.org/downloads.html
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.daemonology.net/bsdiff/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.eniro.se/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.eniro.se/favicon.icohttp://www.eniro.se/query?ax=spray&search_word=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.freedesktop.org/wiki/Software/xdg-user-dirs
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.gnu.org/licenses/>.
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.GoogleURLTracker::QueueWakeupTask.
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.google.com
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/Check
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/accounts/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/accounts/trueHOSTED_OR_GOOGLEGOOGLEInfo=InvalidSecondFactorhttps://www.google.
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/chrome/sync
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/chrome/syncnotificationsync-ping
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/https://www.google.com/searchdomaincheck?format=domain&type=chrome
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/intl/en_us/privacy/browsing.html
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/intl/en_us/privacy/browsing.htmlhttp://www.google.com/support/bin/answer.py?an
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/landing/cloudprint/enable.html?print=true
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/notebook/token?zx=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/notebook/toolbar?cmd=list&tok=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/safebrowsing/report_error/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/safebrowsing/report_phish/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/safebrowsing/report_phish/https://www.google.com/tools/feedback/chrome/__submi
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/session
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/session/phone
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/session/video
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/session/voicemail
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/sessioninitiatorcreatorjinglereasonsession-initiatesession-infosession-accepts
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/accounts/bin/answer.py?answer=48598
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/accounts/bin/answer.py?ctx=ch&answer=27444
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/accounts/bin/answer.py?ctx=ch&answer=27444http://www.google.com/suppor
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/bin/answer.py?answer=106318
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/bin/answer.py?answer=45449&topic=360&sa=X&oi=malwarewarninglink&resnum
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/answer.py?answer=114836
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/answer.py?answer=1181035
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/answer.py?answer=142065
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/answer.py?answer=142065.
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/answer.py?answer=142893
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/answer.py?answer=150752
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/answer.py?answer=173424
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/answer.py?answer=173424pl
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/answer.py?answer=95464
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/answer.py?answer=95464http://www.google.com/support/chrome/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/answer.py?answer=95617
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/answer.py?answer=95626
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/answer.py?answer=95626http://sites.google.com/a/chromium.or
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/answer.py?answer=95669
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/answer.py?answer=95697&topic=14687
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/answer.py?answer=95697&topic=14687.
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/answer.py?answer=96817
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/bin/request.py?contact_type=broken_website&format=inproduct&p.p
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.google.com/support/chrome/go/feedback_confirmation
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/http://www.google.com/support/chrome/bin/answer.py?answer=14289
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/chrome/http://www.google.com/support/chrome/bin/answer.py?answer=95617
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/cloudprint
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/support/talk/bin/request.py
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/talk/protocol/auth
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/talk/protocol/authservicep
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/tools/firefox/toolbar/FT2/intl/%s/submit_success.html
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/tools/firefox/toolbar/FT2/intl/%s/submit_success.html?tpl=%s&continue=%s&url=%
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/transport/p2p
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/update2/response
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com/update2/responseInvalid
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com:80
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.google.com:80:80Check
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.haihaisoft.com/Contact.aspx
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.haihaisoft.com/Contact.aspx%u%?.Install_DirSoftware
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.haihaisoft.com/PDF_Reader_download.aspxhttp://www.drm-x.com/pdfversion.htmMS
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.haihaisoft.comlibmupdf.pdbSumatraPDF.pdbSumatraPDF-prereleaseSumatraPDF.pdbSumatraPDF-1.5
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003EB6000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.0000000011697000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003EB6000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.0000000011697000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-/W3C/DTD
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.ijg.org
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.ijg.org/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.in.gr/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.jabse.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.json.com/json-schema-proposal/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.khronos.org/openmax/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.kvasir.no/img/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.linuxfoundation.org/collaborate/workgroups/accessibility/iaccessible2
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.icohttp://www.maktoob.com/searchResult.php?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.masrawy.com/new/images/masrawy.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.masrawy.com/new/images/masrawy.icohttp://masrawy.com/new/search.aspx?sr=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.mdbg.net/chindict/chindict.php?page=cedict
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.mdbg.net/chindict/export/cedict/cedict_1_0_ts_utf-8_mdbg.txt.gz
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.mesa3d.org/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.monkey.org/~provos/libevent/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.mozilla.org/MPL/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.mozilla.org/NPL/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.mozilla.org/access/windows/at-apis
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.mozilla.org/projects/nspr/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.mozilla.org/projects/security/pki/nss/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.mulle-kybernetik.com/software/OCMock/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.najdi.si/master/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.najdi.si/master/favicon.icohttp://www.najdi.si/search.jsp?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.neti.ee/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.neti.ee/favicon.icohttp://www.neti.ee/cgi-bin/otsing?query=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.netlib.org/fp/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.nur.kz/favicon_kz.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.nur.kz/favicon_kz.icohttp://search.nur.kz/?encoding=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.opengles-book.com
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.opensource.apple.com/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.opensource.apple.com/apsl/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.opensource.org/licenses/bsd-license.php
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.openssl.org/)
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.pogodak.ba/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.pogodak.ba/favicon.icohttp://www.pogodak.ba/search.jsp?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.pogodak.hr/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.pogodak.hr/favicon.icohttp://www.pogodak.hr/search.jsp?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.pogodak.rs/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.pogodak.rs/favicon.icohttp://www.pogodak.rs/search.jsp?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.pogodok.com.mk/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.pogodok.com.mk/favicon.icohttp://www.pogodok.com.mk/search.jsp?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.icohttp://www.rambler.ru/srch?words=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.real.com/realplayer/download
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.seanpatrickobrien.com/journal/posts/3
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.search.ch/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.search.ch/favicon.icohttp://www.search.ch/index.de.html?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.search.ch/index.fr.html?q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.strongtalk.org/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.swig.org/download.html
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.tortall.net/projects/yasm/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.tut.by/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.tut.by/favicon.icohttp://search.tut.by/?query=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.walla.co.il/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.walla.co.il/favicon.icohttp://search.walla.co.il/?e=hew&q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.webmproject.org
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllbad
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.wolframalpha.com/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.yahoo.com/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.yamli.com/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.yamli.com/favicon.icohttp://www.yamli.com/#q=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://xmlsoft.org
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://xmlsoft.org/XSLT
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://yandex.ua/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://zlib.net/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://zoznam.sk/favicon.ico
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=28885
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=52256
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=56606
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxhttp://clients2.google.com/service/update2/crxA-----B
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/dev
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/devhttps://clients4.google.com/chrome-sync
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://clients4.google.com/firefox/metrics/collectUninstall
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://developer.mozilla.org/en/Gecko_SDK
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://dl-ssl.google.com/chrome/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.442402408.0000000011697000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://dl-ssl.google.com/edgedl/chrome/plugins/plugins2.xml
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://dl.google.com/dl/edgedl/chrome/gpu/software_rendering_list.json
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://hg.mozilla.org/mozilla-central/file/05f3c68e73c9/extensions/auth/gssapi.h
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://sb-ssl.google.com/safebrowsing
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/phishing
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/phishinghttps://ssl.gstatic.com/safebrowsing/csd
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://sb-ssl.google.com/safebrowsinghttp://safebrowsing.clients.google.com/safebrowsing
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://sourceforge.net/project/?group_id=1519
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://ssl.gstatic.com/safebrowsing/csd/client_model_v0.pb
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://tools.google.com/chrome/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/accounts/ClientLogin
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/accounts/GetUserInfo
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/accounts/IssueAuthToken
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/accounts/NewAccount?service=chromiumsync
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/accounts/NewAccount?service=chromiumsynchttp://www.google.com/support/chrome/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/accounts/ServiceLogin
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/accounts/ServiceLogin4)
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/cloudprint
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/cloudprinthttp://www.google.com/support/cloudprinthttp://www.google.com/landi
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/cloudprinthttps://www.google.com/accounts/ClientLogincloudprintchromiumsynccl
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/dashboard
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/loc/json
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/searchdomaincheck?format=domain&type=chrome
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000004329000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.0000000011B0A000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.google.com/speech-api/v1/recognize?xjerr=1&client=chromium&
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/support/chrome/bin/answer.py?answer=1181003
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/support/chrome/bin/answer.py?answer=1247383
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/support/chrome/bin/topic/1142433/inproduct?hl=
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/support/chrome/bin/topic/1142433/inproduct?hl=tipscurrent_tip
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.googleapis.com/chromoting/v1/
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.000000000438A000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011BF9000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537634257.0000000011BF9000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.khronos.org/opengles/adopters/login/conformance/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001C9D1E SetWindowsHookExA 0000000D,001C9D0A,00000000

2_2_001C9D1E

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001CB158 OpenClipboard,GetClipboardData,CloseClipboard,

2_2_001CB158

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001D696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,		2_2_001D696E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000A696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,		10_2_000A696E

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001CB158 OpenClipboard,GetClipboardData,CloseClipboard,

2_2_001CB158

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001C9E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

2_2_001C9E4A

Yara detected Keylogger Generic

Source: Yara match	File source: 12.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.03262025_Distribution Notice.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2790000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.960000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.960000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 03262025_Distribution Notice.exe PID: 3560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 03262025_Distribution Notice.exe PID: 3696, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.03262025_Distribution Notice.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2790000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.960000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.960000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.910038572.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.528588928.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.562253767.00000000003D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 03262025_Distribution Notice.exe PID: 3560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 03262025_Distribution Notice.exe PID: 3696, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001DCF2D SystemParametersInfoW,		2_2_001DCF2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000ACF2D SystemParametersInfoW,		10_2_000ACF2D

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.03262025_Distribution Notice.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.03262025_Distribution Notice.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.03262025_Distribution Notice.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.rundll32.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.rundll32.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.rundll32.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.03262025_Distribution Notice.exe.2690000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.03262025_Distribution Notice.exe.2690000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.03262025_Distribution Notice.exe.2690000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.rundll32.exe.8b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.rundll32.exe.8b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.rundll32.exe.8b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.03262025_Distribution Notice.exe.2790000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.03262025_Distribution Notice.exe.2790000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.03262025_Distribution Notice.exe.2790000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.rundll32.exe.960000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.rundll32.exe.960000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.rundll32.exe.960000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.rundll32.exe.960000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.rundll32.exe.960000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.rundll32.exe.960000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: 03262025_Distribution Notice.exe PID: 3560, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 03262025_Distribution Notice.exe PID: 3696, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 03262025_Distribution Notice.exe

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 770B0000 page execute and read and write

Contains functionality to call native functions

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00289006 NtCreateThreadEx,	0_2_00289006
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002898AC NtCreateThreadEx,	0_2_002898AC
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002888B2 NtCreateThreadEx,	0_2_002888B2
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00289B14 NtCreateThreadEx,	0_2_00289B14
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00288551 NtCreateThreadEx,	0_2_00288551
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00288589 NtCreateThreadEx,	0_2_00288589
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0028961C NtCreateThreadEx,	0_2_0028961C
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00289682 NtCreateThreadEx,	0_2_00289682
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00288720 NtCreateThreadEx,	0_2_00288720
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00179006 NtCreateThreadEx,	7_2_00179006
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001788B2 NtCreateThreadEx,	7_2_001788B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001798AC NtCreateThreadEx,	7_2_001798AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00179B14 NtCreateThreadEx,	7_2_00179B14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00178551 NtCreateThreadEx,	7_2_00178551
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00178589 NtCreateThreadEx,	7_2_00178589
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017961C NtCreateThreadEx,	7_2_0017961C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00179682 NtCreateThreadEx,	7_2_00179682
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00178720 NtCreateThreadEx,	7_2_00178720

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001D6861 ExitWindowsEx,LoadLibraryA,GetProcAddress,		2_2_001D6861
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000A6861 ExitWindowsEx,LoadLibraryA,GetProcAddress,		10_2_000A6861

Detected potential crypto function

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0027D274	0_2_0027D274
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00277247	0_2_00277247
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026BA45	0_2_0026BA45
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00264E7F	0_2_00264E7F
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026DEC5	0_2_0026DEC5
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026D861	0_2_0026D861
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00288061	0_2_00288061
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026E07F	0_2_0026E07F
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002728AC	0_2_002728AC
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002888B2	0_2_002888B2
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026E884	0_2_0026E884
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00263081	0_2_00263081
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026E0E6	0_2_0026E0E6
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002770F1	0_2_002770F1
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002658FC	0_2_002658FC
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026E0CA	0_2_0026E0CA
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026F8C8	0_2_0026F8C8
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00275137	0_2_00275137
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00278919	0_2_00278919
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026E960	0_2_0026E960
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002771BE	0_2_002771BE
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00271196	0_2_00271196
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002631E7	0_2_002631E7
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002631ED	0_2_002631ED
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026E9C3	0_2_0026E9C3
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026E9D0	0_2_0026E9D0
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0028723D	0_2_0028723D
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00265A0F	0_2_00265A0F
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026EA08	0_2_0026EA08
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00265A4A	0_2_00265A4A
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00263256	0_2_00263256
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00265A50	0_2_00265A50
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00265AA2	0_2_00265AA2
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00286AB1	0_2_00286AB1
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00265AE0	0_2_00265AE0
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002882EF	0_2_002882EF
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002632F0	0_2_002632F0
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026E2CC	0_2_0026E2CC
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026F30F	0_2_0026F30F
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026EB1B	0_2_0026EB1B
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00276B77	0_2_00276B77
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00265B7F	0_2_00265B7F
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00263378	0_2_00263378
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026334B	0_2_0026334B
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026EB54	0_2_0026EB54
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0027935E	0_2_0027935E
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026335B	0_2_0026335B
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026E358	0_2_0026E358
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026F359	0_2_0026F359
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00265BA3	0_2_00265BA3
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002783AB	0_2_002783AB
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00285380	0_2_00285380
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00265B8C	0_2_00265B8C
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00289385	0_2_00289385
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026339A	0_2_0026339A
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026E3E5	0_2_0026E3E5
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00265BD6	0_2_00265BD6
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00288C34	0_2_00288C34
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00287435	0_2_00287435
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00262C0B	0_2_00262C0B
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026E41B	0_2_0026E41B
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0027147C	0_2_0027147C
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026E446	0_2_0026E446
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00263458	0_2_00263458
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00276CA7	0_2_00276CA7
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002634A8	0_2_002634A8
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026E4B5	0_2_0026E4B5
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026348F	0_2_0026348F
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026FCE0	0_2_0026FCE0
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00274CE0	0_2_00274CE0
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026ECFD	0_2_0026ECFD
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002894CC	0_2_002894CC
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002684D8	0_2_002684D8
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00264D36	0_2_00264D36
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0027CD3F	0_2_0027CD3F
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026ED02	0_2_0026ED02
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00264D6C	0_2_00264D6C
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026ED76	0_2_0026ED76
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00270D70	0_2_00270D70
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00278547	0_2_00278547
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026ED40	0_2_0026ED40
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026E54F	0_2_0026E54F
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00275D86	0_2_00275D86
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026E5C9	0_2_0026E5C9
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0027CE2A	0_2_0027CE2A
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026E610	0_2_0026E610
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00287674	0_2_00287674
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026E65C	0_2_0026E65C
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002656B2	0_2_002656B2
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026EE95	0_2_0026EE95
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002756C4	0_2_002756C4
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00271F26	0_2_00271F26
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026DF28	0_2_0026DF28
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026577B	0_2_0026577B
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_00285F75	0_2_00285F75
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0028675C	0_2_0028675C
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_0026EF8F	0_2_0026EF8F
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002657FF	0_2_002657FF
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D50B0	0_2_002D50B0
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D14CD	0_2_002D14CD
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D329D	0_2_002D329D
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D5412	0_2_002D5412
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D406E	0_2_002D406E
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D5063	0_2_002D5063
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D304C	0_2_002D304C
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C1852	0_2_002C1852
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D48AE	0_2_002D48AE
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C94A1	0_2_002C94A1
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D48BC	0_2_002D48BC
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D24B4	0_2_002D24B4
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D48B3	0_2_002D48B3
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C8C8C	0_2_002C8C8C
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C7C88	0_2_002C7C88
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D0099	0_2_002D0099
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C7894	0_2_002C7894
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D8096	0_2_002D8096
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D28EF	0_2_002D28EF
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C8CD0	0_2_002C8CD0
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C8D36	0_2_002C8D36
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C8D1C	0_2_002C8D1C
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C7D7C	0_2_002C7D7C
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C8D70	0_2_002C8D70
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C9159	0_2_002C9159
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D2DBD	0_2_002D2DBD
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D25B6	0_2_002D25B6
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C8984	0_2_002C8984
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C7984	0_2_002C7984
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D05E7	0_2_002D05E7
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C89CE	0_2_002C89CE
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C8A0A	0_2_002C8A0A
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C8A04	0_2_002C8A04
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D3A04	0_2_002D3A04
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C8A6C	0_2_002C8A6C
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D4261	0_2_002D4261
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C8A4D	0_2_002C8A4D
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C8AA8	0_2_002C8AA8
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C8ABF	0_2_002C8ABF
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C8EB5	0_2_002C8EB5
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D1AB2	0_2_002D1AB2
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C9290	0_2_002C9290
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D4E93	0_2_002D4E93
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C7AEA	0_2_002C7AEA
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C7AFD	0_2_002C7AFD
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C8B38	0_2_002C8B38
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C7B08	0_2_002C7B08
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D4F1C	0_2_002D4F1C
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D1311	0_2_002D1311
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D2778	0_2_002D2778
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D2771	0_2_002D2771
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C8BA2	0_2_002C8BA2
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D27CF	0_2_002D27CF
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002C67CF	0_2_002C67CF
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D4FC5	0_2_002D4FC5
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 0_2_002D4FDA	0_2_002D4FDA
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001E809D	2_2_001E809D
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_0021412B	2_2_0021412B
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001E81D7	2_2_001E81D7
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_002021C0	2_2_002021C0
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001FE1E0	2_2_001FE1E0
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001DE29B	2_2_001DE29B
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001F8380	2_2_001F8380
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001F73DA	2_2_001F73DA
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001FE43D	2_2_001FE43D
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_00213472	2_2_00213472
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001E747E	2_2_001E747E
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001F25A1	2_2_001F25A1
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001F774C	2_2_001F774C
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001DF809	2_2_001DF809
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001F79F6	2_2_001F79F6
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001E79F5	2_2_001E79F5
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_0020DAD9	2_2_0020DAD9
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001F3C73	2_2_001F3C73
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001F7CBD	2_2_001F7CBD
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001D3CA0	2_2_001D3CA0
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001FDD82	2_2_001FDD82
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001F5F52	2_2_001F5F52
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001F7F78	2_2_001F7F78
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001FDFB1	2_2_001FDFB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015BA45	7_2_0015BA45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00167247	7_2_00167247
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0016D274	7_2_0016D274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00154E7F	7_2_00154E7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015DEC5	7_2_0015DEC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015E07F	7_2_0015E07F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015D861	7_2_0015D861
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00178061	7_2_00178061
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015E884	7_2_0015E884
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00153081	7_2_00153081
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001788B2	7_2_001788B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001628AC	7_2_001628AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015F8C8	7_2_0015F8C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015E0CA	7_2_0015E0CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001670F1	7_2_001670F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001558FC	7_2_001558FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015E0E6	7_2_0015E0E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00168919	7_2_00168919
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00165137	7_2_00165137
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015E960	7_2_0015E960
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00161196	7_2_00161196
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001671BE	7_2_001671BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015E9D0	7_2_0015E9D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015E9C3	7_2_0015E9C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001531E7	7_2_001531E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001531ED	7_2_001531ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00155A0F	7_2_00155A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015EA08	7_2_0015EA08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017723D	7_2_0017723D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00153256	7_2_00153256
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00155A50	7_2_00155A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00155A4A	7_2_00155A4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00176AB1	7_2_00176AB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00155AA2	7_2_00155AA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015E2CC	7_2_0015E2CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001532F0	7_2_001532F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00155AE0	7_2_00155AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001782EF	7_2_001782EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015EB1B	7_2_0015EB1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015F30F	7_2_0015F30F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015EB54	7_2_0015EB54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0016935E	7_2_0016935E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015F359	7_2_0015F359
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015E358	7_2_0015E358
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015335B	7_2_0015335B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015334B	7_2_0015334B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00166B77	7_2_00166B77
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00155B7F	7_2_00155B7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00153378	7_2_00153378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015339A	7_2_0015339A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00179385	7_2_00179385
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00175380	7_2_00175380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00155B8C	7_2_00155B8C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00155BA3	7_2_00155BA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001683AB	7_2_001683AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00155BD6	7_2_00155BD6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015E3E5	7_2_0015E3E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015E41B	7_2_0015E41B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00152C0B	7_2_00152C0B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00177435	7_2_00177435
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00178C34	7_2_00178C34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00153458	7_2_00153458
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015E446	7_2_0015E446
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0016147C	7_2_0016147C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015348F	7_2_0015348F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015E4B5	7_2_0015E4B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00166CA7	7_2_00166CA7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001534A8	7_2_001534A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001584D8	7_2_001584D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001794CC	7_2_001794CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015ECFD	7_2_0015ECFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015FCE0	7_2_0015FCE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00164CE0	7_2_00164CE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015ED02	7_2_0015ED02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00154D36	7_2_00154D36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0016CD3F	7_2_0016CD3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00168547	7_2_00168547
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015ED40	7_2_0015ED40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015E54F	7_2_0015E54F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015ED76	7_2_0015ED76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00160D70	7_2_00160D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00154D6C	7_2_00154D6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00165D86	7_2_00165D86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015E5C9	7_2_0015E5C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015E610	7_2_0015E610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0016CE2A	7_2_0016CE2A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015E65C	7_2_0015E65C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00177674	7_2_00177674
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015EE95	7_2_0015EE95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001556B2	7_2_001556B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001656C4	7_2_001656C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00161F26	7_2_00161F26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015DF28	7_2_0015DF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0017675C	7_2_0017675C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00175F75	7_2_00175F75
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015577B	7_2_0015577B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0015EF8F	7_2_0015EF8F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001557FF	7_2_001557FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A8096	7_2_001A8096
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000B809D	10_2_000B809D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000E412B	10_2_000E412B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000D21C0	10_2_000D21C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000B81D7	10_2_000B81D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000CE1E0	10_2_000CE1E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000AE29B	10_2_000AE29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000C8380	10_2_000C8380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000C73DA	10_2_000C73DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000CE43D	10_2_000CE43D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000B747E	10_2_000B747E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000E3472	10_2_000E3472
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000C25A1	10_2_000C25A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000C774C	10_2_000C774C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000AF809	10_2_000AF809
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000C79F6	10_2_000C79F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000B79F5	10_2_000B79F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000DDAD9	10_2_000DDAD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000C3C73	10_2_000C3C73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000A3CA0	10_2_000A3CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000C7CBD	10_2_000C7CBD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000CDD82	10_2_000CDD82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000C5F52	10_2_000C5F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000C7F78	10_2_000C7F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000CDFB1	10_2_000CDFB1

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: String function: 001C1EBF appears 32 times
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: String function: 001F51E0 appears 55 times
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: String function: 001F4ACF appears 43 times
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: String function: 001C2117 appears 41 times
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: String function: 001C1F96 appears 49 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 00092117 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 00091F96 appears 49 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 000C4ACF appears 43 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 00091EBF appears 31 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 000C51E0 appears 55 times

PE file contains executable resources (Code or Archives)

Source: JavaUpdater943034.dll.0.dr

Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Sample file is different than original file name gathered from version info

Source: 03262025_Distribution Notice.exe, 00000000.00000003.436405230.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs 03262025_Distribution Notice.exe
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.00000000046B5000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameberkelium.dll< vs 03262025_Distribution Notice.exe
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \VarFileInfo\Translation\StringFileInfo\%04x%04x\%lsCompanyNameCompanyShortNameInternalNameProductNameProductShortNameCommentsLegalCopyrightProductVersionFileDescriptionLegalTrademarksPrivateBuildFileVersionOriginalFilenameSpecialBuildLastChange1Official BuildCheck failed: data_.get(). .\file_version_info_win.ccGB/sMB/skB/sB/sMBkBB vs 03262025_Distribution Notice.exe
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 0has caused the Haihaisoft PDF Reader to exit. Please close all screen capture software and open the Haihaisoft PDF Reader again.\\VarFileInfo\TranslationOriginalFilename, , , , A:\B:\cccgoogledrivesync.exeaaa, Domain parse error 4./HaihaisoftWeb page content length is 0.ntdll.dllRtlGetNtVersionNumbersindivstr is empty!%s\Haihaisoft\XPDF\%s.lic%s\Haihaisoft\XPDF\V3.licindivstr2013 is empty!%s\Haihaisoft\XPDF\%s.licq1Ggw0sW0raah/rGgDOENvB7EvvftEWPYBEHVgshiJN3ce+NsnD4IzY=GetIndivStr failed. %s%s&csb=%s&usb=%d&asb=%d&ContentType=PDF<r00412b>q1Ggw0sW0raah/rGgDOENvB7EvvSvlyPYBEHVgshiJN3ce+NsnD4IzY=%s%s&csb=%s&usb=%d&asb=%d&ContentType=PDF<r00412b/>q1Ggw0sW0uacjfrJgHiUavkkB/jE9UvPfw5HBlxMndR4XemQ/3DiLmWBRkTJYQ==q1Ggw0sW0uacjfrJgHiUavU3A73dslvPdFUZAVV+xc1yZMCC5G3UN27dXVnLY9C5l7Xo..cnhttp://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD%AF%E4%BB%B6PDF%E9%98%85%E8%AF%BB%E5%99%A8.aspxopenhttp://www.haihaisoft.com/PDF_Reader_download.aspxopencng vs 03262025_Distribution Notice.exe
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441401970.00000000009FC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehpreader.exeL vs 03262025_Distribution Notice.exe
Source: 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 0has caused the Haihaisoft PDF Reader to exit. Please close all screen capture software and open the Haihaisoft PDF Reader again.\\VarFileInfo\TranslationOriginalFilename, , , , A:\B:\cccgoogledrivesync.exeaaa, Domain parse error 4./HaihaisoftWeb page content length is 0.ntdll.dllRtlGetNtVersionNumbersindivstr is empty!%s\Haihaisoft\XPDF\%s.lic%s\Haihaisoft\XPDF\V3.licindivstr2013 is empty!%s\Haihaisoft\XPDF\%s.licq1Ggw0sW0raah/rGgDOENvB7EvvftEWPYBEHVgshiJN3ce+NsnD4IzY=GetIndivStr failed. %s%s&csb=%s&usb=%d&asb=%d&ContentType=PDF<r00412b>q1Ggw0sW0raah/rGgDOENvB7EvvSvlyPYBEHVgshiJN3ce+NsnD4IzY=%s%s&csb=%s&usb=%d&asb=%d&ContentType=PDF<r00412b/>q1Ggw0sW0uacjfrJgHiUavkkB/jE9UvPfw5HBlxMndR4XemQ/3DiLmWBRkTJYQ==q1Ggw0sW0uacjfrJgHiUavU3A73dslvPdFUZAVV+xc1yZMCC5G3UN27dXVnLY9C5l7Xo..cnhttp://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD%AF%E4%BB%B6PDF%E9%98%85%E8%AF%BB%E5%99%A8.aspxopenhttp://www.haihaisoft.com/PDF_Reader_download.aspxopencng vs 03262025_Distribution Notice.exe
Source: 03262025_Distribution Notice.exe, 00000000.00000003.436412495.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs 03262025_Distribution Notice.exe
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441433930.0000000000BF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs 03262025_Distribution Notice.exe
Source: 03262025_Distribution Notice.exe, 00000000.00000002.442549072.0000000011F0A000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameberkelium.dll< vs 03262025_Distribution Notice.exe
Source: 03262025_Distribution Notice.exe, 00000000.00000003.436423322.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs 03262025_Distribution Notice.exe
Source: 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: \VarFileInfo\Translation\StringFileInfo\%04x%04x\%lsCompanyNameCompanyShortNameInternalNameProductNameProductShortNameCommentsLegalCopyrightProductVersionFileDescriptionLegalTrademarksPrivateBuildFileVersionOriginalFilenameSpecialBuildLastChange1Official BuildCheck failed: data_.get(). .\file_version_info_win.ccGB/sMB/skB/sB/sMBkBB vs 03262025_Distribution Notice.exe
Source: 03262025_Distribution Notice.exe, 00000000.00000003.436438743.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs 03262025_Distribution Notice.exe
Source: 03262025_Distribution Notice.exe, 00000002.00000000.428334284.00000000009FC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehpreader.exeL vs 03262025_Distribution Notice.exe
Source: 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 0has caused the Haihaisoft PDF Reader to exit. Please close all screen capture software and open the Haihaisoft PDF Reader again.\\VarFileInfo\TranslationOriginalFilename, , , , A:\B:\cccgoogledrivesync.exeaaa, Domain parse error 4./HaihaisoftWeb page content length is 0.ntdll.dllRtlGetNtVersionNumbersindivstr is empty!%s\Haihaisoft\XPDF\%s.lic%s\Haihaisoft\XPDF\V3.licindivstr2013 is empty!%s\Haihaisoft\XPDF\%s.licq1Ggw0sW0raah/rGgDOENvB7EvvftEWPYBEHVgshiJN3ce+NsnD4IzY=GetIndivStr failed. %s%s&csb=%s&usb=%d&asb=%d&ContentType=PDF<r00412b>q1Ggw0sW0raah/rGgDOENvB7EvvSvlyPYBEHVgshiJN3ce+NsnD4IzY=%s%s&csb=%s&usb=%d&asb=%d&ContentType=PDF<r00412b/>q1Ggw0sW0uacjfrJgHiUavkkB/jE9UvPfw5HBlxMndR4XemQ/3DiLmWBRkTJYQ==q1Ggw0sW0uacjfrJgHiUavU3A73dslvPdFUZAVV+xc1yZMCC5G3UN27dXVnLY9C5l7Xo..cnhttp://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD%AF%E4%BB%B6PDF%E9%98%85%E8%AF%BB%E5%99%A8.aspxopenhttp://www.haihaisoft.com/PDF_Reader_download.aspxopencng vs 03262025_Distribution Notice.exe

Uses 32bit PE files

Source: 03262025_Distribution Notice.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\JavaUpdater943034.dll",EntryPoint /f

Yara signature match

Source: 12.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.03262025_Distribution Notice.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.03262025_Distribution Notice.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.03262025_Distribution Notice.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.rundll32.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.rundll32.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.rundll32.exe.8b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.03262025_Distribution Notice.exe.2690000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.03262025_Distribution Notice.exe.2690000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.03262025_Distribution Notice.exe.2690000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.rundll32.exe.8b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.rundll32.exe.8b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.rundll32.exe.8b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.03262025_Distribution Notice.exe.2790000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.03262025_Distribution Notice.exe.2790000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.03262025_Distribution Notice.exe.2790000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.rundll32.exe.960000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.rundll32.exe.960000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.rundll32.exe.960000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.rundll32.exe.960000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.rundll32.exe.960000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.rundll32.exe.960000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: 03262025_Distribution Notice.exe PID: 3560, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 03262025_Distribution Notice.exe PID: 3696, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@17/1@133/1

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001D7AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		2_2_001D7AD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000A7AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		10_2_000A7AD9

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001CC03C GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

2_2_001CC03C

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001DB9AB FindResourceA,LoadResource,LockResource,SizeofResource,

2_2_001DB9AB

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001DAC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_001DAC43

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

File created: C:\Users\user\Documents\JavaUpdater943034.dll

Jump to behavior

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-MB2LKE

Source: C:\Windows\SysWOW64\reg.exe

Console Write: ....................\.#.........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........(.......N.......@...............

Jump to behavior

Source: 03262025_Distribution Notice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\user\Documents\JavaUpdater943034.dll,EntryPoint

Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.0000000011618000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.0000000011618000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: CREATE TABLE (key TEXT NOT NULL ON CONFLICT FAIL UNIQUE ON CONFLICT REPLACE,value TEXT NOT NULL ON CONFLICT FAIL);
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: SELECT ALL * FROM %s WHERE %s;
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: create table %_segments(block blob);
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: insert into %_content (rowid, where rowid = ?select block from %_segments where rowid between ? and ? order by rowid%s,%Q)fts2create table %_segments(block blob);select rowid, * from %%_content %swhere rowid=?
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: create table %_segments( blockid INTEGER PRIMARY KEY, block blob);
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: SELECT ALL * FROM %s;
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: create table %_segdir( level integer, idx integer, start_block integer, leaves_end_block integer, end_block integer, root blob, primary key(level, idx));
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.0000000011618000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.0000000011618000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: SELECT name FROM sqlite_master WHERE type='table';
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0SELECT 'CREATE UNIQUE INDEX vacuum_db.' \|\| substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'SELECT 'CREATE INDEX vacuum_db.' \|\| substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' SELECT 'CREATE TABLE vacuum_db.' \|\| substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0BEGIN EXCLUSIVE;PRAGMA vacuum_db.synchronous=OFFATTACH '' AS vacuum_db;cannot VACUUM from within a transaction5
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: INSERT INTO share_info VALUES(?, ?, ?, ?, ?, -2, ?, ?, ?, ?, ?, ?, ?);
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

Source: unknown	Process created: C:\Users\user\Desktop\03262025_Distribution Notice.exe "C:\Users\user\Desktop\03262025_Distribution Notice.exe"
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Process created: C:\Users\user\Desktop\03262025_Distribution Notice.exe "C:\Users\user\Desktop\03262025_Distribution Notice.exe"
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\JavaUpdater943034.dll",EntryPoint /f & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\JavaUpdater943034.dll",EntryPoint /f
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\user\Documents\JavaUpdater943034.dll,EntryPoint
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\user\Documents\JavaUpdater943034.dll,EntryPoint
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\user\Documents\JavaUpdater943034.dll,EntryPoint
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\user\Documents\JavaUpdater943034.dll,EntryPoint
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Process created: C:\Users\user\Desktop\03262025_Distribution Notice.exe "C:\Users\user\Desktop\03262025_Distribution Notice.exe"	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\JavaUpdater943034.dll",EntryPoint /f & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\JavaUpdater943034.dll",EntryPoint /f	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\user\Documents\JavaUpdater943034.dll,EntryPoint	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\user\Documents\JavaUpdater943034.dll,EntryPoint
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: a.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: shcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Section loaded: wow64cpu.dll	Jump to behavior

PE / OLE file has a valid certificate

Source: 03262025_Distribution Notice.exe

Static PE information: certificate valid

PE file has a big code size

Source: 03262025_Distribution Notice.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: 03262025_Distribution Notice.exe

Static file information: File size 6365288 > 1048576

PE file contains a mix of resources often seen in goodware

Source: 03262025_Distribution Notice.exe	Static PE information: section name: RT_CURSOR
Source: 03262025_Distribution Notice.exe	Static PE information: section name: RT_BITMAP
Source: 03262025_Distribution Notice.exe	Static PE information: section name: RT_ICON
Source: 03262025_Distribution Notice.exe	Static PE information: section name: RT_MENU
Source: 03262025_Distribution Notice.exe	Static PE information: section name: RT_DIALOG
Source: 03262025_Distribution Notice.exe	Static PE information: section name: RT_STRING
Source: 03262025_Distribution Notice.exe	Static PE information: section name: RT_ACCELERATOR
Source: 03262025_Distribution Notice.exe	Static PE information: section name: RT_GROUP_ICON

PE file has a big raw section

Source: 03262025_Distribution Notice.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c7a00
Source: 03262025_Distribution Notice.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2b5e00

PE file imports many functions

Source: 03262025_Distribution Notice.exe

Static PE information: More than 200 imports for KERNEL32.dll

PE file contains a debug data directory

Source: 03262025_Distribution Notice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: d:\SDK\WebRender\Berkelium\win32\berkelium.pdb source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000004329000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.0000000011B0A000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: /app/crashsubmit?appname=SumatraPDFhttp://www.haihaisoft.comlibmupdf.pdbSumatraPDF.pdbSumatraPDF-prereleaseSumatraPDF.pdbSumatraPDF-1.5.3.0.pdbSumatraPDF.pdblibmupdf.pdbSumatraPDF-no-MuPDF.pdbhttp://kjkpub.s3.amazonaws.com/sumatrapdf/prerel/SumatraPDF-prerelease-SVN_PRE_RELEASE_VER.pdb.zipsymbols_tmp.ziphttp://kjkpub.s3.amazonaws.com/sumatrapdf/rel/SumatraPDF-1.5.3.0.pdb.zipsymbols_tmp.zipSUMATRAPDF_FULLDUMPHaihaisoft PDF Reader crashedSorry, that shouldn't have happened! source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: SumatraPDF-no-MuPDF.pdb source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: SumatraPDF-1.5.3.0.pdb source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: mail.pdb.se source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: xOdx>a0m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: libmupdf.pdb source: 03262025_Distribution Notice.exe, 00000000.00000002.441352881.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000000.00000000.381595166.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, 03262025_Distribution Notice.exe, 00000002.00000002.909938287.00000000006C9000.00000002.00000001.01000000.00000003.sdmp

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001DD0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

2_2_001DD0CF

PE file contains sections with non-standard names

Source: JavaUpdater943034.dll.0.dr

Static PE information: section name: .unwante

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_0021B07C pushad ; retn 0021h	2_2_0021B0B9
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_002170CF push ecx; ret	2_2_002170E2
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001F5226 push ecx; ret	2_2_001F5239
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_0021D9ED push esi; ret	2_2_0021D9F6
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_00217A00 push eax; ret	2_2_00217A1E
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_0021CB54 push 900021CFh; iretd	2_2_0021CB59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0019A0A3 push ebx; iretd	7_2_0019A0A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000E70CF push ecx; ret	10_2_000E70E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000C5226 push ecx; ret	10_2_000C5239
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000ED9ED push esi; ret	10_2_000ED9F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000E7A00 push eax; ret	10_2_000E7A1E

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

File created: C:\Users\user\Documents\JavaUpdater943034.dll

Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001C62E2 ShellExecuteW,URLDownloadToFileW,

2_2_001C62E2

Drops PE files

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

File created: C:\Users\user\Documents\JavaUpdater943034.dll

Jump to dropped file

Boot Survival

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001DAC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_001DAC43

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Palo Alto Network Sensor			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Palo Alto Network Sensor			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

2_2_001DD0CF

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		2_2_001DA941
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		10_2_000AA941

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Window / User API: threadDelayed 2962			Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Window / User API: threadDelayed 7026			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Dropped PE file which has not been started: C:\Users\user\Documents\JavaUpdater943034.dll

Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	API coverage: 3.6 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 3.8 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 7.2 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe TID: 3708	Thread sleep count: 2962 > 30	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe TID: 3708	Thread sleep time: -8886000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe TID: 3708	Thread sleep count: 7026 > 30	Jump to behavior
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe TID: 3708	Thread sleep time: -21078000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001C90DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	2_2_001C90DC
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001CB6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_001CB6B5
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001DC7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	2_2_001DC7E5
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001CB8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	2_2_001CB8BA
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_0020E989 FindFirstFileExA,	2_2_0020E989
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001C8CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	2_2_001C8CDE
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001D9CEE FindFirstFileW,FindNextFileW,FindNextFileW,	2_2_001D9CEE
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001C7EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	2_2_001C7EDD
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001C6F13 FindFirstFileW,FindNextFileW,	2_2_001C6F13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000990DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	10_2_000990DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0009B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	10_2_0009B6B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000AC7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	10_2_000AC7E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0009B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	10_2_0009B8BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000DE989 FindFirstFileExA,	10_2_000DE989
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00098CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	10_2_00098CDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000A9CEE FindFirstFileW,FindNextFileW,FindNextFileW,	10_2_000A9CEE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00097EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	10_2_00097EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00096F13 FindFirstFileW,FindNextFileW,	10_2_00096F13

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001C7357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

2_2_001C7357

Source: 03262025_Distribution Notice.exe, 00000000.00000002.442402408.0000000011697000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: VMnet
Source: 03262025_Distribution Notice.exe, 00000000.00000002.442402408.0000000011697000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: VMnet{0123456789abcdefABCDEFP

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001FB88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_001FB88D

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

2_2_001DD0CF

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_002038F4 mov eax, dword ptr fs:[00000030h]		2_2_002038F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000D38F4 mov eax, dword ptr fs:[00000030h]		10_2_000D38F4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001D1999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,

2_2_001D1999

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Process created: C:\Users\user\Desktop\03262025_Distribution Notice.exe "C:\Users\user\Desktop\03262025_Distribution Notice.exe"

Jump to behavior

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001F4F01 SetUnhandledExceptionFilter,	2_2_001F4F01
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001F5398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_001F5398
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001FB88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_001FB88D
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: 2_2_001F4D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_001F4D6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000C4F01 SetUnhandledExceptionFilter,	10_2_000C4F01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000C5398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_000C5398
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000CB88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_000CB88D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_000C4D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_000C4D6E

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Memory written: C:\Users\user\Desktop\03262025_Distribution Notice.exe base: 1C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\rundll32.exe base: 90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\rundll32.exe base: 90000 value starts with: 4D5A

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001D97D9 mouse_event,

2_2_001D97D9

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\JavaUpdater943034.dll",EntryPoint /f & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Palo Alto Network Sensor" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\JavaUpdater943034.dll",EntryPoint /f	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\user\Documents\JavaUpdater943034.dll,EntryPoint	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\user\Documents\JavaUpdater943034.dll,EntryPoint

Source: 03262025_Distribution Notice.exe, 00000000.00000002.441461757.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, 03262025_Distribution Notice.exe, 00000000.00000002.442402408.00000000117D1000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000007.00000002.537522230.00000000117D1000.00000002.00000001.01000000.00000005.sdmp

Binary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001F5034 cpuid

2_2_001F5034

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: EnumSystemLocalesW,	2_2_00212097
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: EnumSystemLocalesW,	2_2_002120E2
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: EnumSystemLocalesW,	2_2_0021217D
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_0021220A
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: GetLocaleInfoA,	2_2_001CF26B
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: EnumSystemLocalesW,	2_2_0020844E
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: GetLocaleInfoW,	2_2_0021245A
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00212583
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: GetLocaleInfoW,	2_2_0021268A
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00212757
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: GetLocaleInfoW,	2_2_00208937
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: IsValidCodePage,GetLocaleInfoW,	2_2_00211E1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	10_2_000E2097
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	10_2_000E20E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	10_2_000E217D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_2_000E220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	10_2_0009F26B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	10_2_000D844E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	10_2_000E245A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_000E2583
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	10_2_000E268A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_000E2757
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	10_2_000D8937
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,GetLocaleInfoW,	10_2_000E1E1F

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 0_2_0049A377 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0049A377

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_001DBB0E GetUserNameW,

2_2_001DBB0E

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Code function: 2_2_002091DA _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

2_2_002091DA

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.03262025_Distribution Notice.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2790000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.960000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.960000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.910038572.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.528588928.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.562253767.00000000003D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 03262025_Distribution Notice.exe PID: 3560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 03262025_Distribution Notice.exe PID: 3696, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		2_2_001CB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		10_2_0009B59B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	2_2_001CB6B5
Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: \key3.db	2_2_001CB6B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	10_2_0009B6B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: \key3.db	10_2_0009B6B5

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-MB2LKE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-MB2LKE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-MB2LKE

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.03262025_Distribution Notice.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2690000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.03262025_Distribution Notice.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2790000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.03262025_Distribution Notice.exe.2790000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.960000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.960000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.909856778.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.611376387.0000000000960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.910038572.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.528588928.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.611185346.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.441437112.0000000002690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.562253767.00000000003D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.562197232.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.526953129.0000000000090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.537116211.0000000000410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.441451123.0000000002790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.537091857.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 03262025_Distribution Notice.exe PID: 3560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 03262025_Distribution Notice.exe PID: 3696, type: MEMORYSTR

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\Desktop\03262025_Distribution Notice.exe	Code function: cmd.exe		2_2_001C5091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: cmd.exe		10_2_00095091

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	11 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	111 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	2 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	1 DLL Side-Loading	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	112 Process Injection	1 Bypass User Account Control	LSA Secrets	23 System Information Discovery	SSH	Keylogging	1 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	21 Security Software Discovery	VNC	GUI Input Capture	21 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	112 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Rundll32	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 03262025_Distribution Notice.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
03262025_Distribution Notice.exe