Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
staff record or employee record_pdf.exe

Overview

General Information

Sample name:staff record or employee record_pdf.exe
Analysis ID:1629734
MD5:c5b417deb918f4465550e39adb29d6dd
SHA1:28f8cd07a58ed47c758339cdc48ef195e1b36ad9
SHA256:d982188914a208819d6c3333b65ffa4c9cf55f0c72f420305ef9d2faad5b03c6
Tags:exeuser-threatcat_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Remcos RAT
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
AI detected suspicious PE digital signature
Creates autostart registry keys with suspicious names
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • staff record or employee record_pdf.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\staff record or employee record_pdf.exe" MD5: C5B417DEB918F4465550E39ADB29D6DD)
    • staff record or employee record_pdf.exe (PID: 7760 cmdline: "C:\Users\user\Desktop\staff record or employee record_pdf.exe" MD5: C5B417DEB918F4465550E39ADB29D6DD)
      • remcos.exe (PID: 7844 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: C5B417DEB918F4465550E39ADB29D6DD)
        • remcos.exe (PID: 7348 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: C5B417DEB918F4465550E39ADB29D6DD)
          • recover.exe (PID: 3368 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\aqdzyspfhvwrgjtkqowuj" MD5: D38B657A068016768CA9F3B5E100B472)
          • recover.exe (PID: 5296 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\dsrrrcahdeowqphwzzjwmhdh" MD5: D38B657A068016768CA9F3B5E100B472)
          • recover.exe (PID: 5416 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nmwkrvlarmgjsddaqjexxuxqxvr" MD5: D38B657A068016768CA9F3B5E100B472)
          • recover.exe (PID: 6776 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\sdxuouqotqdhpkwkbge" MD5: D38B657A068016768CA9F3B5E100B472)
          • recover.exe (PID: 6860 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\uycepmbhgyvmrqkokrrlbmq" MD5: D38B657A068016768CA9F3B5E100B472)
          • recover.exe (PID: 3408 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\uycepmbhgyvmrqkokrrlbmq" MD5: D38B657A068016768CA9F3B5E100B472)
          • recover.exe (PID: 3668 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\fsixqfljugnzbegsbueflrlgaa" MD5: D38B657A068016768CA9F3B5E100B472)
          • recover.exe (PID: 5448 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\fsixqfljugnzbegsbueflrlgaa" MD5: D38B657A068016768CA9F3B5E100B472)
          • recover.exe (PID: 2996 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\fsixqfljugnzbegsbueflrlgaa" MD5: D38B657A068016768CA9F3B5E100B472)
          • recover.exe (PID: 7500 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kjjhnwqoeljxpmzkmr" MD5: D38B657A068016768CA9F3B5E100B472)
          • recover.exe (PID: 1900 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\mdwsopbpstbcasvovczbp" MD5: D38B657A068016768CA9F3B5E100B472)
          • recover.exe (PID: 8092 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wfckohmjgbthcgjsmmmusxyx" MD5: D38B657A068016768CA9F3B5E100B472)
  • remcos.exe (PID: 7952 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: C5B417DEB918F4465550E39ADB29D6DD)
  • remcos.exe (PID: 2180 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: C5B417DEB918F4465550E39ADB29D6DD)
  • remcos.exe (PID: 7948 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: C5B417DEB918F4465550E39ADB29D6DD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.2980081200.00000000335B0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    0000000D.00000003.2926798485.0000000033413000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      0000000D.00000002.2981967691.0000000033A00000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        0000000D.00000003.2761637855.0000000033964000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          0000000D.00000003.2758472844.00000000332DB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            Click to see the 27 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            13.2.remcos.exe.335b0000.2.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              23.2.recover.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                14.2.recover.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                  13.2.remcos.exe.33b30000.8.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                    13.3.remcos.exe.334126a0.3.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                      Click to see the 10 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\staff record or employee record_pdf.exe, ProcessId: 7760, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-ULE32L
                      Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\staff record or employee record_pdf.exe, ProcessId: 7760, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-ULE32L

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: Registry Key setAuthor: Joe Security: Data: Details: 5F 68 D4 CD C9 23 8B 54 E2 85 5A 05 BA 1D 5E C6 07 80 7A A6 84 FC 45 84 C2 E3 C9 07 A2 B4 D2 C1 31 80 8A 88 CA BA 3B 60 A2 F9 13 6D E7 63 18 2F 1C 52 56 02 B5 4B 81 5F 93 E7 31 9B 04 23 C4 DA 25 47 , EventID: 13, EventType: SetValue, Image: C:\ProgramData\Remcos\remcos.exe, ProcessId: 7348, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-ULE32L\exepath

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-05T04:21:49.410558+010020365941Malware Command and Control Activity Detected192.168.2.449929103.178.235.402404TCP
                      2025-03-05T04:21:51.833514+010020365941Malware Command and Control Activity Detected192.168.2.449945103.178.235.402404TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-05T04:21:51.325766+010028033043Unknown Traffic192.168.2.449946178.237.33.5080TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-05T04:20:34.752154+010028032702Potentially Bad Traffic192.168.2.449736188.114.96.3443TCP
                      2025-03-05T04:21:43.711316+010028032702Potentially Bad Traffic192.168.2.449897188.114.96.3443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: staff record or employee record_pdf.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\ProgramData\Remcos\remcos.exeAvira: detection malicious, Label: HEUR/AGEN.1331786
                      Multi AV Scanner detection for dropped file
                      Source: C:\ProgramData\Remcos\remcos.exeReversingLabs: Detection: 21%
                      Multi AV Scanner detection for submitted file
                      Source: staff record or employee record_pdf.exeReversingLabs: Detection: 21%
                      Source: staff record or employee record_pdf.exeVirustotal: Detection: 19%Perma Link
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 0000000D.00000002.2956317651.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2956317651.0000000002BD2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1976680932.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2718577617.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2751198640.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: staff record or employee record_pdf.exe PID: 7760, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 7348, type: MEMORYSTR
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: staff record or employee record_pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49736 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49897 version: TLS 1.2
                      Source: staff record or employee record_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: remcos.exe, 0000000D.00000002.2980081200.00000000335B0000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2926798485.0000000033413000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2761637855.0000000033964000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2758472844.00000000332DB000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2981967691.0000000033A00000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927967777.0000000033646000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927320513.00000000333B1000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927844678.0000000033723000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2928082099.00000000337E9000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927754792.00000000338AF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2751161145.0000000002C3B000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2754151160.00000000335B5000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2750878785.00000000333B1000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2983719949.0000000033B30000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2757460515.0000000033725000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000000E.00000002.2812756762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000011.00000002.2872937583.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000017.00000002.2925482368.0000000000400000.00000040.80000000.00040000.00000000.sdmp
                      Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: number of queries: 1326
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 0_2_00405E7C FindFirstFileA,FindClose,0_2_00405E7C
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 0_2_00405438 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405438
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 6_2_00402645 FindFirstFileA,6_2_00402645
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 6_2_00405E7C FindFirstFileA,FindClose,6_2_00405E7C
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 6_2_00405438 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,6_2_00405438
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 8_2_00405E7C FindFirstFileA,FindClose,8_2_00405E7C
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 8_2_00405438 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,8_2_00405438
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 8_2_00402645 FindFirstFileA,8_2_00402645
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_33C710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,13_2_33C710F1
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0040B477 FindFirstFileW,FindNextFileW,14_2_0040B477
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407EF8
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49929 -> 103.178.235.40:2404
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49945 -> 103.178.235.40:2404
                      Source: global trafficTCP traffic: 192.168.2.4:49929 -> 103.178.235.40:2404
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                      Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                      Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                      Source: Joe Sandbox ViewASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49946 -> 178.237.33.50:80
                      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49736 -> 188.114.96.3:443
                      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49897 -> 188.114.96.3:443
                      Source: global trafficHTTP traffic detected: GET /WquhOBRy/DWrKpmgyPBhZOjDQurqj189.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: gj32.onlineCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /WquhOBRy/DWrKpmgyPBhZOjDQurqj189.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: gj32.onlineCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.178.235.40
                      Source: global trafficHTTP traffic detected: GET /WquhOBRy/DWrKpmgyPBhZOjDQurqj189.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: gj32.onlineCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /WquhOBRy/DWrKpmgyPBhZOjDQurqj189.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: gj32.onlineCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: remcos.exe, 0000000D.00000002.2980081200.00000000335B0000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2926798485.0000000033413000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2761637855.0000000033964000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                      Source: remcos.exe, 0000000D.00000002.2980081200.00000000335B0000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2926798485.0000000033413000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2761637855.0000000033964000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                      Source: remcos.exe, 0000000D.00000002.2981398808.00000000339D0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000010.00000002.2769337758.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000016.00000002.2831756168.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                      Source: remcos.exe, 0000000D.00000002.2981398808.00000000339D0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000010.00000002.2769337758.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000016.00000002.2831756168.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                      Source: recover.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
                      Source: recover.exe, 0000000E.00000002.2813996600.000000000307C000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000E.00000003.2812203751.000000000307C000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000E.00000003.2812305430.000000000307C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                      Source: recover.exe, 0000000E.00000002.2813996600.000000000307C000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000E.00000003.2812203751.000000000307C000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000E.00000003.2812305430.000000000307C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                      Source: global trafficDNS traffic detected: DNS query: gj32.online
                      Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                      Source: bhvAB71.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                      Source: bhvAB71.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
                      Source: staff record or employee record_pdf.exe, remcos.exe.6.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
                      Source: staff record or employee record_pdf.exe, remcos.exe.6.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                      Source: bhvAB71.tmp.17.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
                      Source: staff record or employee record_pdf.exe, remcos.exe.6.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
                      Source: staff record or employee record_pdf.exe, remcos.exe.6.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
                      Source: remcos.exe, 0000000D.00000002.2956317651.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2956317651.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2956317651.0000000002BD2000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2718577617.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2751198640.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2956317651.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp, bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://geoplugin.net/json.gp
                      Source: remcos.exe, 0000000D.00000002.2956317651.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2718577617.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2751198640.0000000002C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpX
                      Source: remcos.exe, 0000000D.00000002.2956317651.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2718577617.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2751198640.0000000002C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpu
                      Source: remcos.exe, remcos.exe, 00000008.00000002.2946692631.0000000000409000.00000004.00000001.01000000.00000009.sdmp, remcos.exe, 00000008.00000000.2066504618.0000000000409000.00000008.00000001.01000000.00000009.sdmp, remcos.exe, 00000009.00000002.2946459042.0000000000409000.00000004.00000001.01000000.00000009.sdmp, remcos.exe, 00000009.00000000.2151418061.0000000000409000.00000008.00000001.01000000.00000009.sdmp, remcos.exe, 0000000B.00000002.2946129846.0000000000409000.00000004.00000001.01000000.00000009.sdmp, remcos.exe, 0000000B.00000000.2243448493.0000000000409000.00000008.00000001.01000000.00000009.sdmp, remcos.exe, 0000000D.00000002.2946327901.0000000000409000.00000008.00000001.01000000.00000009.sdmp, staff record or employee record_pdf.exe, remcos.exe.6.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
                      Source: staff record or employee record_pdf.exe, remcos.exe.6.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0:
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0H
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0I
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0Q
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://ocsp.msocsp.com0
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://ocsp.msocsp.com0S
                      Source: staff record or employee record_pdf.exe, remcos.exe.6.drString found in binary or memory: http://ocsp.sectigo.com0
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://ocspx.digicert.com0E
                      Source: bhvAB71.tmp.17.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://www.digicert.com/CPS0~
                      Source: remcos.exe, 0000000D.00000002.2981398808.00000000339D0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000010.00000002.2769337758.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000016.00000002.2831756168.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000019.00000002.2883745472.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                      Source: remcos.exe, 0000000D.00000002.2981398808.00000000339D0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000010.00000002.2769337758.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000010.00000003.2768346273.000000000341D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000010.00000003.2768002027.000000000341D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000016.00000003.2829187371.000000000333D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000016.00000002.2831756168.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000016.00000003.2828079401.000000000333D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000019.00000003.2883096382.000000000375D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000019.00000003.2882478277.000000000375D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000019.00000002.2883745472.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                      Source: remcos.exe, 0000000D.00000002.2981398808.00000000339D0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000010.00000002.2769337758.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000016.00000002.2831756168.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000019.00000002.2883745472.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                      Source: remcos.exe, 0000000D.00000002.2981398808.00000000339D0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000010.00000002.2769337758.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000016.00000002.2831756168.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000019.00000002.2883745472.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                      Source: recover.exe, 00000010.00000003.2768346273.000000000341D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000010.00000003.2768002027.000000000341D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000016.00000003.2829187371.000000000333D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000016.00000003.2828079401.000000000333D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000019.00000003.2883096382.000000000375D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000019.00000003.2882478277.000000000375D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comta
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
                      Source: recover.exe, 0000000E.00000002.2812984107.00000000028D4000.00000004.00000010.00020000.00000000.sdmp, recover.exe, 00000011.00000002.2873163161.0000000002753000.00000004.00000010.00020000.00000000.sdmp, recover.exe, 00000017.00000002.2925659887.0000000002E94000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                      Source: recover.exe, 00000019.00000002.2883745472.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
                      Source: bhvAB71.tmp.17.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
                      Source: bhvAB71.tmp.17.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                      Source: bhvAB71.tmp.17.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                      Source: bhvAB71.tmp.17.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                      Source: staff record or employee record_pdf.exe, 00000006.00000002.1976680932.0000000002AF3000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2956317651.0000000002BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gj32.online/
                      Source: staff record or employee record_pdf.exe, 00000006.00000002.1983107225.0000000004790000.00000004.00001000.00020000.00000000.sdmp, staff record or employee record_pdf.exe, 00000006.00000002.1976680932.0000000002AF3000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2976254171.00000000323A0000.00000004.00001000.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2956317651.0000000002BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gj32.online/WquhOBRy/DWrKpmgyPBhZOjDQurqj189.bin
                      Source: staff record or employee record_pdf.exe, 00000006.00000002.1976680932.0000000002AF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gj32.online/WquhOBRy/DWrKpmgyPBhZOjDQurqj189.binXS
                      Source: staff record or employee record_pdf.exe, 00000006.00000002.1976680932.0000000002AF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gj32.online/i
                      Source: bhvAB71.tmp.17.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: bhvAB71.tmp.17.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: recover.exe, 0000000E.00000002.2813996600.000000000307C000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000E.00000003.2812203751.000000000307C000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000E.00000003.2812305430.000000000307C000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000011.00000003.2872266282.0000000002A5C000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000011.00000003.2872527762.0000000002A5C000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000011.00000002.2874818154.0000000002A5C000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000017.00000003.2925167498.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000017.00000002.2928367962.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000017.00000003.2925096370.00000000033ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
                      Source: bhvAB71.tmp.17.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
                      Source: recover.exeString found in binary or memory: https://login.yahoo.com/config/login
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
                      Source: staff record or employee record_pdf.exe, remcos.exe.6.drString found in binary or memory: https://sectigo.com/CPS0
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: remcos.exe, 0000000D.00000002.2981398808.00000000339D0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000010.00000002.2769337758.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000016.00000002.2831756168.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000019.00000002.2883745472.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: recover.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drString found in binary or memory: https://www.office.com/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49897
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49897 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49736 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49897 version: TLS 1.2
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 0_2_00404FA1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,0_2_00404FA1
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,14_2_00409E39
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,14_2_00409EA1
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_00406DFC
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,15_2_00406E9F

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 0000000D.00000002.2956317651.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2956317651.0000000002BD2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1976680932.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2718577617.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2751198640.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: staff record or employee record_pdf.exe PID: 7760, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 7348, type: MEMORYSTR

                      System Summary

                      barindex
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: staff record or employee record_pdf.exe
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,14_2_0040BAE3
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_004016FD NtdllDefWindowProc_A,15_2_004016FD
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_004017B7 NtdllDefWindowProc_A,15_2_004017B7
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 0_2_004030B6 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030B6
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 6_2_004030B6 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,6_2_004030B6
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 8_2_004030B6 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,8_2_004030B6
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 0_2_004061520_2_00406152
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 0_2_004047E00_2_004047E0
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 6_2_004061526_2_00406152
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 6_2_004047E06_2_004047E0
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 8_2_004061528_2_00406152
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 8_2_004047E08_2_004047E0
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_33C7B5C113_2_33C7B5C1
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_33C8719413_2_33C87194
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0044A03014_2_0044A030
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0040612B14_2_0040612B
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0043E13D14_2_0043E13D
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0044B18814_2_0044B188
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0044227314_2_00442273
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0044D38014_2_0044D380
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0044A5F014_2_0044A5F0
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_004125F614_2_004125F6
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_004065BF14_2_004065BF
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_004086CB14_2_004086CB
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_004066BC14_2_004066BC
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0044D76014_2_0044D760
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_00405A4014_2_00405A40
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_00449A4014_2_00449A40
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_00405AB114_2_00405AB1
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_00405B2214_2_00405B22
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0044ABC014_2_0044ABC0
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_00405BB314_2_00405BB3
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_00417C6014_2_00417C60
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0044CC7014_2_0044CC70
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_00418CC914_2_00418CC9
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0044CDFB14_2_0044CDFB
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0044CDA014_2_0044CDA0
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0044AE2014_2_0044AE20
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_00415E3E14_2_00415E3E
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_00437F3B14_2_00437F3B
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_0040503815_2_00405038
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_0041208C15_2_0041208C
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_004050A915_2_004050A9
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_0040511A15_2_0040511A
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_0043C13A15_2_0043C13A
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_004051AB15_2_004051AB
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_0044930015_2_00449300
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_0040D32215_2_0040D322
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_0044A4F015_2_0044A4F0
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_0043A5AB15_2_0043A5AB
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_0041363115_2_00413631
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_0044669015_2_00446690
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_0044A73015_2_0044A730
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_004398D815_2_004398D8
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_004498E015_2_004498E0
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_0044A88615_2_0044A886
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_0043DA0915_2_0043DA09
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_00438D5E15_2_00438D5E
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_00449ED015_2_00449ED0
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_0041FE8315_2_0041FE83
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_00430F5415_2_00430F54
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nshB4AE.tmp\System.dll 44E5DFD551B38E886214BD6B9C8EE913C4C4D1F085A6575D97C3E892B925DA82
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: String function: 004029FD appears 49 times
                      Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00422297 appears 42 times
                      Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 0044DDB0 appears 33 times
                      Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00418555 appears 34 times
                      Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00444B5A appears 37 times
                      Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 004186B6 appears 58 times
                      Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 004188FE appears 88 times
                      Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00413025 appears 79 times
                      Source: staff record or employee record_pdf.exeStatic PE information: invalid certificate
                      Source: staff record or employee record_pdf.exe, 00000000.00000002.1908300311.0000000000447000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesemicollegiate.exeH vs staff record or employee record_pdf.exe
                      Source: staff record or employee record_pdf.exe, 00000006.00000002.1972332563.0000000000447000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesemicollegiate.exeH vs staff record or employee record_pdf.exe
                      Source: staff record or employee record_pdf.exeBinary or memory string: OriginalFilenamesemicollegiate.exeH vs staff record or employee record_pdf.exe
                      Source: staff record or employee record_pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@34/30@2/4
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,14_2_0041A225
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 0_2_004042B1 GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004042B1
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_00415799 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,14_2_00415799
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 0_2_00402036 LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,0_2_00402036
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_00416A46 FindResourceW,SizeofResource,LoadResource,LockResource,14_2_00416A46
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile created: C:\Users\user\AppData\Local\SongyJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-ULE32L
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsuEF4A.tmpJump to behavior
                      Source: staff record or employee record_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\SysWOW64\recover.exeSystem information queried: HandleInformation
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: remcos.exe, 0000000D.00000002.2980081200.00000000335B0000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2926798485.0000000033413000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2761637855.0000000033964000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2758472844.00000000332DB000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2981967691.0000000033A00000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927967777.0000000033646000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927320513.00000000333B1000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927844678.0000000033723000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2928082099.00000000337E9000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927754792.00000000338AF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2751161145.0000000002C3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: remcos.exe, 0000000D.00000002.2980081200.00000000335B0000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000002.2980672671.0000000033960000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2926798485.0000000033413000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2761637855.0000000033964000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2758472844.00000000332DB000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2981967691.0000000033A00000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927967777.0000000033646000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927320513.00000000333B1000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927844678.0000000033723000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2928082099.00000000337E9000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927754792.00000000338AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: remcos.exe, 0000000D.00000002.2980081200.00000000335B0000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2926798485.0000000033413000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2761637855.0000000033964000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2758472844.00000000332DB000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2981967691.0000000033A00000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927967777.0000000033646000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927320513.00000000333B1000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927844678.0000000033723000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2928082099.00000000337E9000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927754792.00000000338AF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2754151160.00000000335B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                      Source: remcos.exe, 0000000D.00000002.2980081200.00000000335B0000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2926798485.0000000033413000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2761637855.0000000033964000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2758472844.00000000332DB000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2981967691.0000000033A00000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927967777.0000000033646000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927320513.00000000333B1000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927844678.0000000033723000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2928082099.00000000337E9000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927754792.00000000338AF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2751161145.0000000002C3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                      Source: remcos.exe, 0000000D.00000002.2980081200.00000000335B0000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2926798485.0000000033413000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2761637855.0000000033964000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2758472844.00000000332DB000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2981967691.0000000033A00000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927967777.0000000033646000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927320513.00000000333B1000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927844678.0000000033723000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2928082099.00000000337E9000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927754792.00000000338AF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2754151160.00000000335B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: remcos.exe, 0000000D.00000002.2980081200.00000000335B0000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2926798485.0000000033413000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2761637855.0000000033964000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2758472844.00000000332DB000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2981967691.0000000033A00000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927967777.0000000033646000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927320513.00000000333B1000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927844678.0000000033723000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2928082099.00000000337E9000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927754792.00000000338AF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2751161145.0000000002C3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: recover.exe, 0000000E.00000002.2814193423.000000000484C000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000011.00000002.2876619492.000000000472C000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000017.00000002.2928929037.0000000004A4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: remcos.exe, 0000000D.00000002.2980081200.00000000335B0000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2926798485.0000000033413000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2761637855.0000000033964000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2758472844.00000000332DB000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2981967691.0000000033A00000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927967777.0000000033646000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927320513.00000000333B1000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927844678.0000000033723000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2928082099.00000000337E9000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927754792.00000000338AF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2751161145.0000000002C3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: staff record or employee record_pdf.exeReversingLabs: Detection: 21%
                      Source: staff record or employee record_pdf.exeVirustotal: Detection: 19%
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile read: C:\Users\user\Desktop\staff record or employee record_pdf.exeJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                      Source: unknownProcess created: C:\Users\user\Desktop\staff record or employee record_pdf.exe "C:\Users\user\Desktop\staff record or employee record_pdf.exe"
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess created: C:\Users\user\Desktop\staff record or employee record_pdf.exe "C:\Users\user\Desktop\staff record or employee record_pdf.exe"
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
                      Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
                      Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
                      Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\aqdzyspfhvwrgjtkqowuj"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\dsrrrcahdeowqphwzzjwmhdh"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nmwkrvlarmgjsddaqjexxuxqxvr"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\sdxuouqotqdhpkwkbge"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\uycepmbhgyvmrqkokrrlbmq"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\uycepmbhgyvmrqkokrrlbmq"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\fsixqfljugnzbegsbueflrlgaa"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\fsixqfljugnzbegsbueflrlgaa"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\fsixqfljugnzbegsbueflrlgaa"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kjjhnwqoeljxpmzkmr"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\mdwsopbpstbcasvovczbp"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wfckohmjgbthcgjsmmmusxyx"
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess created: C:\Users\user\Desktop\staff record or employee record_pdf.exe "C:\Users\user\Desktop\staff record or employee record_pdf.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\aqdzyspfhvwrgjtkqowuj"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\dsrrrcahdeowqphwzzjwmhdh"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nmwkrvlarmgjsddaqjexxuxqxvr"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\sdxuouqotqdhpkwkbge"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\uycepmbhgyvmrqkokrrlbmq"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\uycepmbhgyvmrqkokrrlbmq"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\fsixqfljugnzbegsbueflrlgaa"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\fsixqfljugnzbegsbueflrlgaa"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\fsixqfljugnzbegsbueflrlgaa"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kjjhnwqoeljxpmzkmr"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\mdwsopbpstbcasvovczbp"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wfckohmjgbthcgjsmmmusxyx"
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: shfolder.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: riched20.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: usp10.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: shfolder.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: riched20.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: usp10.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: shfolder.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: riched20.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: usp10.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: shfolder.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: riched20.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: usp10.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: shfolder.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windows.storage.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wldp.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: propsys.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: profapi.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: riched20.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: usp10.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msls31.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textinputframework.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coreuicomponents.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ntmarta.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textshaping.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wininet.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: iertutil.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: sspicli.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windows.storage.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wldp.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: profapi.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: winhttp.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: mswsock.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: iphlpapi.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: winnsi.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: dpapi.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msasn1.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: cryptsp.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: rsaenh.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: cryptbase.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: gpapi.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: urlmon.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: srvcli.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: netutils.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: dnsapi.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: rasadhlp.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: fwpuclnt.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: schannel.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: mskeyprotect.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ntasn1.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ncrypt.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ncryptsslp.dll
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: winmm.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: pstorec.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: vaultcli.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wintypes.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: dpapi.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: pstorec.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: pstorec.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: vaultcli.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wintypes.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: dpapi.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: pstorec.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: pstorec.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: vaultcli.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wintypes.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: dpapi.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: pstorec.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile written: C:\Users\user\AppData\Local\Songy\filmdebut\Straddled\braeface.iniJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                      Source: staff record or employee record_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: remcos.exe, 0000000D.00000002.2980081200.00000000335B0000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2926798485.0000000033413000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2761637855.0000000033964000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2758472844.00000000332DB000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2981967691.0000000033A00000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927967777.0000000033646000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927320513.00000000333B1000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927844678.0000000033723000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2928082099.00000000337E9000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2927754792.00000000338AF000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2751161145.0000000002C3B000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2754151160.00000000335B5000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2750878785.00000000333B1000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2983719949.0000000033B30000.00000040.10000000.00040000.00000000.sdmp, remcos.exe, 0000000D.00000003.2757460515.0000000033725000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000000E.00000002.2812756762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000011.00000002.2872937583.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000017.00000002.2925482368.0000000000400000.00000040.80000000.00040000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Yara detected GuLoader
                      Source: Yara matchFile source: 0000000D.00000002.2946631401.000000000183C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1940995656.00000000070EC000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2835921837.000000000714C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1972354927.000000000183C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 0_2_00405EA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405EA3
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 0_2_10002D30 push eax; ret 0_2_10002D5E
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_33C83F7D push ds; ret 13_2_33C83F7E
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_33C81219 push esp; iretd 13_2_33C8121A
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_33C72806 push ecx; ret 13_2_33C72819
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_00446B75 push ecx; ret 14_2_00446B85
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_00452BB4 push eax; ret 14_2_00452BC1
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0044DDB0 push eax; ret 14_2_0044DDC4
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0044DDB0 push eax; ret 14_2_0044DDEC
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_0044B090 push eax; ret 15_2_0044B0A4
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_0044B090 push eax; ret 15_2_0044B0CC
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_00444E71 push ecx; ret 15_2_00444E81

                      Persistence and Installation Behavior

                      barindex
                      AI detected suspicious PE digital signature
                      Source: Initial sampleJoe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate (issuer matches subject), 2) Organization name 'Efterstrbte' appears non-standard and suspicious, 3) Email domain 'Epiplasmic.Str' is highly unusual and not a valid TLD, 4) Certificate validation explicitly failed with untrusted root, 5) Large time gap between compilation date (2014) and certificate dates (2024-2025) suggests possible certificate manipulation, 6) Organization unit name 'Bogstavbetegnelsernes Specter Tergitic' appears randomly generated or obfuscated, 7) While country is US, other fields contain non-English terms suggesting potential location spoofing. The combination of an invalid signature, suspicious naming patterns, and temporal inconsistencies strongly indicates this is a maliciously crafted certificate.
                      Source: C:\ProgramData\Remcos\remcos.exeFile created: C:\Users\user\AppData\Local\Temp\nshB4AE.tmp\System.dllJump to dropped file
                      Source: C:\ProgramData\Remcos\remcos.exeFile created: C:\Users\user\AppData\Local\Temp\nsm693D.tmp\System.dllJump to dropped file
                      Source: C:\ProgramData\Remcos\remcos.exeFile created: C:\Users\user\AppData\Local\Temp\nso92FD.tmp\System.dllJump to dropped file
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file
                      Source: C:\ProgramData\Remcos\remcos.exeFile created: C:\Users\user\AppData\Local\Temp\nshDB60.tmp\System.dllJump to dropped file
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nswF601.tmp\System.dllJump to dropped file
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file

                      Boot Survival

                      barindex
                      Creates autostart registry keys with suspicious names
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-ULE32LJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-ULE32LJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-ULE32LJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-ULE32LJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-ULE32LJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,15_2_004047CB
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeAPI/Special instruction interceptor: Address: 77527E7
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeAPI/Special instruction interceptor: Address: 1EA27E7
                      Source: C:\ProgramData\Remcos\remcos.exeAPI/Special instruction interceptor: Address: 77B27E7
                      Source: C:\ProgramData\Remcos\remcos.exeAPI/Special instruction interceptor: Address: 1EA27E7
                      Tries to detect virtualization through RDTSC time measurements
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeRDTSC instruction interceptor: First address: 7716659 second address: 7716659 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FEBF88A8AB8h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 cmp bl, dl 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeRDTSC instruction interceptor: First address: 1E66659 second address: 1E66659 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FEBF94EFBA8h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 cmp bl, dl 0x0000000a rdtsc
                      Source: C:\ProgramData\Remcos\remcos.exeRDTSC instruction interceptor: First address: 7776659 second address: 7776659 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FEBF88A8AB8h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 cmp bl, dl 0x0000000a rdtsc
                      Source: C:\ProgramData\Remcos\remcos.exeRDTSC instruction interceptor: First address: 1E66659 second address: 1E66659 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FEBF94EFBA8h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 cmp bl, dl 0x0000000a rdtsc
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,14_2_0040BAE3
                      Source: C:\ProgramData\Remcos\remcos.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshB4AE.tmp\System.dllJump to dropped file
                      Source: C:\ProgramData\Remcos\remcos.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm693D.tmp\System.dllJump to dropped file
                      Source: C:\ProgramData\Remcos\remcos.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nso92FD.tmp\System.dllJump to dropped file
                      Source: C:\ProgramData\Remcos\remcos.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshDB60.tmp\System.dllJump to dropped file
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nswF601.tmp\System.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\recover.exeAPI coverage: 9.4 %
                      Source: C:\ProgramData\Remcos\remcos.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 0_2_00405E7C FindFirstFileA,FindClose,0_2_00405E7C
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 0_2_00405438 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405438
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 6_2_00402645 FindFirstFileA,6_2_00402645
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 6_2_00405E7C FindFirstFileA,FindClose,6_2_00405E7C
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 6_2_00405438 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,6_2_00405438
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 8_2_00405E7C FindFirstFileA,FindClose,8_2_00405E7C
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 8_2_00405438 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,8_2_00405438
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 8_2_00402645 FindFirstFileA,8_2_00402645
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_33C710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,13_2_33C710F1
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0040B477 FindFirstFileW,FindNextFileW,14_2_0040B477
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407EF8
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0041A8D8 memset,GetSystemInfo,14_2_0041A8D8
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: staff record or employee record_pdf.exe, 00000006.00000002.1976680932.0000000002B02000.00000004.00000020.00020000.00000000.sdmp, staff record or employee record_pdf.exe, 00000006.00000002.1976680932.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2956317651.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000002.2956317651.0000000002BB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: bhvC3EA.tmp.23.dr, bhv9662.tmp.14.dr, bhvAB71.tmp.17.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                      Source: bhvAB71.tmp.17.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-4695
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-4700
                      Source: C:\ProgramData\Remcos\remcos.exeAPI call chain: ExitProcess graph end nodegraph_8-3545
                      Source: C:\ProgramData\Remcos\remcos.exeAPI call chain: ExitProcess graph end nodegraph_8-3550
                      Source: C:\Windows\SysWOW64\recover.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\recover.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 0_2_00404E63 lstrlenA,lstrlenA,lstrcatA,SetWindowTextA,SendMessageA,SendMessageA,LdrInitializeThunk,SendMessageA,SendMessageA,0_2_00404E63
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_33C72639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_33C72639
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 14_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,14_2_0040BAE3
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 0_2_00405EA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405EA3
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_33C74AB4 mov eax, dword ptr fs:[00000030h]13_2_33C74AB4
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_33C7724E GetProcessHeap,13_2_33C7724E
                      Source: C:\Windows\SysWOW64\recover.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\recover.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\recover.exeProcess token adjusted: Debug
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_33C72B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_33C72B1C
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_33C72639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_33C72639
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_33C760E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_33C760E2

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Maps a DLL or memory area into another process
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write
                      Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write
                      Sample uses process hollowing technique
                      Source: C:\ProgramData\Remcos\remcos.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000
                      Source: C:\ProgramData\Remcos\remcos.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000
                      Source: C:\ProgramData\Remcos\remcos.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000
                      Source: C:\ProgramData\Remcos\remcos.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000
                      Source: C:\ProgramData\Remcos\remcos.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000
                      Source: C:\ProgramData\Remcos\remcos.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000
                      Source: C:\ProgramData\Remcos\remcos.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000
                      Source: C:\ProgramData\Remcos\remcos.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000
                      Source: C:\ProgramData\Remcos\remcos.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000
                      Source: C:\ProgramData\Remcos\remcos.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000
                      Writes to foreign memory regions
                      Source: C:\ProgramData\Remcos\remcos.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 2A69008
                      Source: C:\ProgramData\Remcos\remcos.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 2B8F008
                      Source: C:\ProgramData\Remcos\remcos.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 2E48008
                      Source: C:\ProgramData\Remcos\remcos.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 2980008
                      Source: C:\ProgramData\Remcos\remcos.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 2CA4008
                      Source: C:\ProgramData\Remcos\remcos.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 2A68008
                      Source: C:\ProgramData\Remcos\remcos.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 2CB2008
                      Source: C:\ProgramData\Remcos\remcos.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 2849008
                      Source: C:\ProgramData\Remcos\remcos.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 31B8008
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess created: C:\Users\user\Desktop\staff record or employee record_pdf.exe "C:\Users\user\Desktop\staff record or employee record_pdf.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\aqdzyspfhvwrgjtkqowuj"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\dsrrrcahdeowqphwzzjwmhdh"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nmwkrvlarmgjsddaqjexxuxqxvr"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\sdxuouqotqdhpkwkbge"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\uycepmbhgyvmrqkokrrlbmq"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\uycepmbhgyvmrqkokrrlbmq"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\fsixqfljugnzbegsbueflrlgaa"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\fsixqfljugnzbegsbueflrlgaa"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\fsixqfljugnzbegsbueflrlgaa"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kjjhnwqoeljxpmzkmr"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\mdwsopbpstbcasvovczbp"
                      Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\wfckohmjgbthcgjsmmmusxyx"
                      Source: remcos.exe, 0000000D.00000002.2956317651.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2718577617.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000D.00000003.2751198640.0000000002C2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_33C72933 cpuid 13_2_33C72933
                      Source: C:\Windows\SysWOW64\recover.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\recover.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\recover.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_33C72264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,13_2_33C72264
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 15_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,15_2_004082CD
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeCode function: 0_2_00405B9A GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405B9A
                      Source: C:\ProgramData\Remcos\remcos.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 0000000D.00000002.2956317651.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2956317651.0000000002BD2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1976680932.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2718577617.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2751198640.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: staff record or employee record_pdf.exe PID: 7760, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 7348, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
                      Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                      Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Tries to steal Instant Messenger accounts or passwords
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                      Tries to steal Mail credentials (via file registry)
                      Source: C:\Windows\SysWOW64\recover.exeCode function: ESMTPPassword15_2_004033F0
                      Source: C:\Windows\SysWOW64\recover.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword15_2_00402DB3
                      Source: C:\Windows\SysWOW64\recover.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword15_2_00402DB3
                      Yara detected WebBrowserPassView password recovery tool
                      Source: Yara matchFile source: 13.2.remcos.exe.335b0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.remcos.exe.33b30000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.3.remcos.exe.334126a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.3.remcos.exe.332da1a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.remcos.exe.33a00000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.remcos.exe.335b0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.remcos.exe.33b30000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.3.remcos.exe.332da1a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.remcos.exe.33a00000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000002.2980081200.00000000335B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2926798485.0000000033413000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2981967691.0000000033A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2761637855.0000000033964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2758472844.00000000332DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2927967777.0000000033646000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2812756762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2927320513.00000000333B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2927844678.0000000033723000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2928082099.00000000337E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2927754792.00000000338AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2872937583.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2750878785.00000000333B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2754151160.00000000335B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.2925482368.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2983719949.0000000033B30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2757460515.0000000033725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 7348, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: recover.exe PID: 3368, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: recover.exe PID: 6776, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: recover.exe PID: 7500, type: MEMORYSTR
                      Source: C:\ProgramData\Remcos\remcos.exeDirectory queried: number of queries: 1326

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Users\user\Desktop\staff record or employee record_pdf.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ULE32LJump to behavior
                      Source: C:\ProgramData\Remcos\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ULE32L
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 0000000D.00000002.2956317651.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2956317651.0000000002BD2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1976680932.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2718577617.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2751198640.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: staff record or employee record_pdf.exe PID: 7760, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 7348, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts1
                      Shared Modules                      		11
                      Registry Run Keys / Startup Folder                      		312
                      Process Injection                      		2
                      Obfuscated Files or Information                      		2
                      Credentials in Registry                      		1
                      Account Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts2
                      Command and Scripting Interpreter                      		Logon Script (Windows)11
                      Registry Run Keys / Startup Folder                      		1
                      DLL Side-Loading                      		1
                      Credentials In Files                      		14
                      File and Directory Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Masquerading                      		NTDS228
                      System Information Discovery                      		Distributed Component Object Model2
                      Clipboard Data                      		1
                      Remote Access Software                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script312
                      Process Injection                      		LSA Secrets331
                      Security Software Discovery                      		SSHKeylogging2
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials4
                      Process Discovery                      		VNCGUI Input Capture13
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                      System Owner/User Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1629734 Sample: staff record or employee re... Startdate: 05/03/2025 Architecture: WINDOWS Score: 100 55 gj32.online 2->55 57 geoplugin.net 2->57 75 Suricata IDS alerts for network traffic 2->75 77 Antivirus / Scanner detection for submitted sample 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 9 other signatures 2->81 10 staff record or employee record_pdf.exe 2 60 2->10         started        13 remcos.exe 40 2->13         started        15 remcos.exe 40 2->15         started        17 remcos.exe 2->17         started        signatures3 process4 file5 47 C:\Users\user\AppData\Local\...\System.dll, PE32 10->47 dropped 19 staff record or employee record_pdf.exe 2 10 10->19         started        49 C:\Users\user\AppData\Local\...\System.dll, PE32 13->49 dropped 51 C:\Users\user\AppData\Local\...\System.dll, PE32 15->51 dropped 53 C:\Users\user\AppData\Local\...\System.dll, PE32 17->53 dropped process6 dnsIp7 59 gj32.online 188.114.96.3, 443, 49736, 49897 CLOUDFLARENETUS European Union 19->59 41 C:\ProgramData\Remcos\remcos.exe, PE32 19->41 dropped 43 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 19->43 dropped 83 Detected Remcos RAT 19->83 85 Creates autostart registry keys with suspicious names 19->85 24 remcos.exe 40 19->24         started        file8 signatures9 process10 file11 45 C:\Users\user\AppData\Local\...\System.dll, PE32 24->45 dropped 87 Antivirus detection for dropped file 24->87 89 Multi AV Scanner detection for dropped file 24->89 91 Tries to detect virtualization through RDTSC time measurements 24->91 93 Switches to a custom stack to bypass stack traces 24->93 28 remcos.exe 24->28         started        signatures12 process13 dnsIp14 61 103.178.235.40, 2404, 49929, 49945 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 28->61 63 geoplugin.net 178.237.33.50, 49946, 80 ATOM86-ASATOM86NL Netherlands 28->63 65 127.0.0.1 unknown unknown 28->65 95 Detected Remcos RAT 28->95 97 Writes to foreign memory regions 28->97 99 Maps a DLL or memory area into another process 28->99 101 Sample uses process hollowing technique 28->101 32 recover.exe 28->32         started        35 recover.exe 28->35         started        37 recover.exe 28->37         started        39 9 other processes 28->39 signatures15 process16 signatures17 67 Tries to steal Instant Messenger accounts or passwords 32->67 69 Tries to steal Mail credentials (via file / registry access) 32->69 71 Tries to steal Mail credentials (via file registry) 39->71 73 Tries to harvest and steal browser information (history, passwords, etc) 39->73

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      staff record or employee record_pdf.exe21%ReversingLabs
                      staff record or employee record_pdf.exe19%VirustotalBrowse
                      staff record or employee record_pdf.exe100%AviraHEUR/AGEN.1331786

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\ProgramData\Remcos\remcos.exe100%AviraHEUR/AGEN.1331786
                      C:\ProgramData\Remcos\remcos.exe21%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\nshB4AE.tmp\System.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\nshDB60.tmp\System.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\nsm693D.tmp\System.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\nso92FD.tmp\System.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\nswF601.tmp\System.dll0%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://ocsp.sectigo.com00%Avira URL Cloudsafe
                      https://gj32.online/i0%Avira URL Cloudsafe
                      https://gj32.online/WquhOBRy/DWrKpmgyPBhZOjDQurqj189.binXS0%Avira URL Cloudsafe
                      https://gj32.online/WquhOBRy/DWrKpmgyPBhZOjDQurqj189.bin0%Avira URL Cloudsafe
                      https://gj32.online/0%Avira URL Cloudsafe
                      http://nsis.sf.net/NSIS_ErrorError0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      geoplugin.net
                      		178.237.33.50
                      		truefalse
                        		high
                        gj32.online
                        		188.114.96.3
                        		truefalse
                          		unknown

                          Contacted URLs

                          <
                          NameMaliciousAntivirus DetectionReputation
                          https://gj32.online/WquhOBRy/DWrKpmgyPBhZOjDQurqj189.binfalse