Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe

Overview

General Information

Sample name:RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
Analysis ID:1640367
MD5:61725da4f7825615b317de75818d8d54
SHA1:0049128804aadb3513087ff4648b690947a0a030
SHA256:bf9b1fb1f7b689fb89ce8278aab22e89d4dd1bb889e1bf60d3b4bf591b40b5fd
Tags:exeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Confidence:100%

Signatures

Detected Remcos RAT
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
AI detected suspicious PE digital signature
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe (PID: 5128 cmdline: "C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe" MD5: 61725DA4F7825615B317DE75818D8D54)
    • RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe (PID: 5960 cmdline: "C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe" MD5: 61725DA4F7825615B317DE75818D8D54)
      • recover.exe (PID: 7004 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\qxzdfiuzuindcswlguzzrrhxv" MD5: D38B657A068016768CA9F3B5E100B472)
      • recover.exe (PID: 1204 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\qxzdfiuzuindcswlguzzrrhxv" MD5: D38B657A068016768CA9F3B5E100B472)
      • recover.exe (PID: 1184 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\arewgbnsqqfimgsxpembbwbgeusgg" MD5: D38B657A068016768CA9F3B5E100B472)
      • recover.exe (PID: 4252 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ktrohtyueyxnpmgbypyuejwxfakphdhs" MD5: D38B657A068016768CA9F3B5E100B472)
      • recover.exe (PID: 2640 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ktrohtyueyxnpmgbypyuejwxfakphdhs" MD5: D38B657A068016768CA9F3B5E100B472)
      • recover.exe (PID: 3980 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ktrohtyueyxnpmgbypyuejwxfakphdhs" MD5: D38B657A068016768CA9F3B5E100B472)
      • sppsvc.exe (PID: 1204 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.3316905557.0000000006749000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000002.00000003.1171665568.000000003701C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000002.00000003.1208483916.00000000370B2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          00000002.00000003.1201129720.00000000374E3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            00000002.00000003.1170610457.0000000036F3A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              Click to see the 18 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.3.RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe.36f3a1a0.1.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                5.2.recover.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                  2.3.RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe.36f3a1a0.1.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                    2.2.RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe.37010000.1.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                      2.3.RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe.36f3a1a0.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                        Click to see the 3 entries

                        Sigma Signatures

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Remcos
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, ProcessId: 5960, TargetFilename: C:\ProgramData\remcos\logs.dat

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-03-17T08:58:33.758571+010020365941Malware Command and Control Activity Detected192.168.2.84968964.23.171.1082404TCP
                        2025-03-17T08:58:34.930399+010020365941Malware Command and Control Activity Detected192.168.2.84969064.23.171.1082404TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-03-17T08:58:34.902098+010028033043Unknown Traffic192.168.2.849691178.237.33.5080TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-03-17T08:58:29.901065+010028032702Potentially Bad Traffic192.168.2.849688192.159.99.2780TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 00000002.00000002.3316905557.0000000006749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3316905557.000000000676A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3316905557.0000000006739000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3316212912.00000000063DF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1202560416.000000000676A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1201228262.000000000676A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe PID: 5960, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Joe Sandbox ML detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1171665568.000000003701C000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1208483916.00000000370B2000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1172566527.0000000037194000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1201129720.00000000374E3000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1170610457.0000000036F3A000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3337843458.0000000037010000.00000040.10000000.00040000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1208630968.0000000037245000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1172669231.0000000036F3B000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1172864663.00000000373CE000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1207999854.0000000037305000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1201554819.0000000037481000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1206899609.0000000037190000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 00000005.00000002.1198189554.0000000000400000.00000040.80000000.00040000.00000000.sdmp
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 0_2_00405FE2 FindFirstFileA,FindClose,0_2_00405FE2
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 0_2_0040559E CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040559E
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_00402645 FindFirstFileA,2_2_00402645
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_00405FE2 FindFirstFileA,FindClose,2_2_00405FE2
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_0040559E CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,2_2_0040559E
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_370910F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,2_2_370910F1
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_37096580 FindFirstFileExA,2_2_37096580
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0040B477 FindFirstFileW,FindNextFileW,5_2_0040B477
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,6_2_00407EF8
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00407898

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49690 -> 64.23.171.108:2404
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49689 -> 64.23.171.108:2404
                        Source: global trafficTCP traffic: 192.168.2.8:49689 -> 64.23.171.108:2404
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                        Source: Joe Sandbox ViewASN Name: AFFINITY-FTLUS AFFINITY-FTLUS
                        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49688 -> 192.159.99.27:80
                        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49691 -> 178.237.33.50:80
                        Source: global trafficHTTP traffic detected: GET /rrzogcvDo253.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: 192.159.99.27Cache-Control: no-cache
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.159.99.27
                        Source: global trafficHTTP traffic detected: GET /rrzogcvDo253.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: 192.159.99.27Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1171665568.000000003701C000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1208483916.00000000370B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1171665568.000000003701C000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1208483916.00000000370B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3338133614.0000000037430000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1182276055.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                        Source: recover.exe, 00000005.00000003.1197805000.00000000032ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                        Source: recover.exe, 00000005.00000003.1197805000.00000000032ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3338133614.0000000037430000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1182276055.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                        Source: recover.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                        Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3316905557.00000000066E8000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3317456606.00000000080D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://192.159.99.27/rrzogcvDo253.bin
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://c.pki.goog/r/gsr1.crl0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://c.pki.goog/r/r4.crl0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://c.pki.goog/we2/64OUIVzpZV4.crl0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3316905557.0000000006739000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3316905557.0000000006721000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://i.pki.goog/gsr1.crt0-
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://i.pki.goog/r4.crt0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://i.pki.goog/we2.crt0
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://o.pki.goog/we20%
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0:
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0H
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0I
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0Q
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://ocsp.msocsp.com0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://ocsp.msocsp.com0S
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://ocspx.digicert.com0E
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://www.digicert.com/CPS0
                        Source: bhv4E21.tmp.5.drString found in binary or memory: http://www.digicert.com/CPS0~
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3338133614.0000000037430000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1182276055.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3338133614.0000000037430000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000003.1182021107.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000009.00000002.1182276055.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000009.00000003.1182053188.00000000031DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                        Source: recover.exe, 00000009.00000003.1182021107.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000009.00000003.1182053188.00000000031DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3338133614.0000000037430000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1182276055.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3338133614.0000000037430000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1182276055.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                        Source: recover.exe, 00000005.00000002.1198341934.0000000002F14000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                        Source: recover.exe, 00000009.00000002.1182276055.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?5b3bec92835bc024c52f96dd
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?f0f7e1407b69bd65640be717
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f343d3a8731ffea490b8b5c3
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f92d19bcbba8eb1999dabbc8
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=LO
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb&ndcParam=QWthbWFp
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://dl.google.com/update2/installers/icons/%7B8a69d345-d564-463c-aff1-a69d9e530f96%7D.bmp?lang=e
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=MIRA-WW-PH7&FrontEn
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                        Source: recover.exeString found in binary or memory: https://login.yahoo.com/config/login
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-08-30-16/PreSignInSettingsConfig.json
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=13164f2a9ee6956f1439
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=b92552
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?407dab52f7bc43350b5cde12afe93269
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?469316a07faf13c962eeef1395652e59
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://www.digicert.com/CPS0
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3338133614.0000000037430000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1182276055.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                        Source: recover.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                        Source: bhv4E21.tmp.5.drString found in binary or memory: https://www.office.com/

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Installs a global keyboard hook
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 0_2_00405107 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405107
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_00409E39
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,5_2_00409EA1
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,6_2_00406DFC
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,6_2_00406E9F
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,9_2_004068B5
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,9_2_004072B5

                        E-Banking Fraud

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 00000002.00000002.3316905557.0000000006749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3316905557.000000000676A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3316905557.0000000006739000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3316212912.00000000063DF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1202560416.000000000676A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1201228262.000000000676A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe PID: 5960, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess Stats: CPU usage > 49%
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,5_2_0040BAE3
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004016FD NtdllDefWindowProc_A,6_2_004016FD
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004017B7 NtdllDefWindowProc_A,6_2_004017B7
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00402CAC NtdllDefWindowProc_A,9_2_00402CAC
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00402D66 NtdllDefWindowProc_A,9_2_00402D66
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 0_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403217
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,2_2_00403217
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 0_2_004049460_2_00404946
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 0_2_004062B80_2_004062B8
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_004049462_2_00404946
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_004062B82_2_004062B8
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_370A71942_2_370A7194
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_3709B5C12_2_3709B5C1
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044A0305_2_0044A030
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0040612B5_2_0040612B
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0043E13D5_2_0043E13D
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044B1885_2_0044B188
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_004422735_2_00442273
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044D3805_2_0044D380
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044A5F05_2_0044A5F0
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_004125F65_2_004125F6
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_004065BF5_2_004065BF
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_004086CB5_2_004086CB
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_004066BC5_2_004066BC
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044D7605_2_0044D760
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00405A405_2_00405A40
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00449A405_2_00449A40
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00405AB15_2_00405AB1
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00405B225_2_00405B22
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044ABC05_2_0044ABC0
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00405BB35_2_00405BB3
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00417C605_2_00417C60
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044CC705_2_0044CC70
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00418CC95_2_00418CC9
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044CDFB5_2_0044CDFB
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044CDA05_2_0044CDA0
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044AE205_2_0044AE20
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00415E3E5_2_00415E3E
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00437F3B5_2_00437F3B
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004050386_2_00405038
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0041208C6_2_0041208C
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004050A96_2_004050A9
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0040511A6_2_0040511A
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0043C13A6_2_0043C13A
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004051AB6_2_004051AB
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004493006_2_00449300
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0040D3226_2_0040D322
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0044A4F06_2_0044A4F0
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0043A5AB6_2_0043A5AB
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004136316_2_00413631
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004466906_2_00446690
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0044A7306_2_0044A730
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004398D86_2_004398D8
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004498E06_2_004498E0
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0044A8866_2_0044A886
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0043DA096_2_0043DA09
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00438D5E6_2_00438D5E
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00449ED06_2_00449ED0
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0041FE836_2_0041FE83
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00430F546_2_00430F54
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004050C29_2_004050C2
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004014AB9_2_004014AB
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004051339_2_00405133
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004051A49_2_004051A4
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004012469_2_00401246
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_0040CA469_2_0040CA46
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004052359_2_00405235
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004032C89_2_004032C8
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004016899_2_00401689
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00402F609_2_00402F60
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: String function: 004029FD appears 49 times
                        Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 0044DDB0 appears 33 times
                        Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00418555 appears 34 times
                        Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 004186B6 appears 58 times
                        Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 004188FE appears 88 times
                        Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00422297 appears 42 times
                        Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00444B5A appears 37 times
                        Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00413025 appears 79 times
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeStatic PE information: invalid certificate
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000000.00000002.976188507.0000000000436000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefirewall gummistvlen.exeDVarFileInfo$ vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1171665568.000000003701C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1208483916.00000000370B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3338133614.000000003744B000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1172566527.0000000037194000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000000.974154705.0000000000436000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefirewall gummistvlen.exeDVarFileInfo$ vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1208721447.0000000036F82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1172800535.000000000676A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3337760612.0000000036F82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1208630968.0000000037245000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1172864663.00000000373CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1172800535.0000000006763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1207999854.0000000037305000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1201479891.0000000036F74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1202882344.0000000036F82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1201228262.000000000676A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1206899609.0000000037190000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeBinary or memory string: OriginalFilenamefirewall gummistvlen.exeDVarFileInfo$ vs RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@16/15@1/3
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,5_2_0041A225
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,9_2_00410DE1
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 0_2_0040440A GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040440A
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00415799 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,5_2_00415799
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,0_2_00402036
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00416A46 FindResourceW,SizeofResource,LoadResource,LockResource,5_2_00416A46
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\json[1].jsonJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-VFJHJY
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: C:\Users\user\AppData\Local\Temp\nsoC76C.tmpJump to behavior
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Windows\SysWOW64\recover.exeSystem information queried: HandleInformationJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1171665568.000000003701C000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1208483916.00000000370B2000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1172566527.0000000037194000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1201129720.00000000374E3000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1170610457.0000000036F3A000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3337843458.0000000037010000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1171665568.000000003701C000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3338021892.00000000373C0000.00000040.10000000.00040000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1208483916.00000000370B2000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1172566527.0000000037194000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1201129720.00000000374E3000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1170610457.0000000036F3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1171665568.000000003701C000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1208483916.00000000370B2000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1172566527.0000000037194000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1201129720.00000000374E3000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1170610457.0000000036F3A000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3337843458.0000000037010000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1171665568.000000003701C000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1208483916.00000000370B2000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1172566527.0000000037194000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1201129720.00000000374E3000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1170610457.0000000036F3A000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3337843458.0000000037010000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1171665568.000000003701C000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1208483916.00000000370B2000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1172566527.0000000037194000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1201129720.00000000374E3000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1170610457.0000000036F3A000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3337843458.0000000037010000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1171665568.000000003701C000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1208483916.00000000370B2000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1172566527.0000000037194000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1201129720.00000000374E3000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1170610457.0000000036F3A000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3337843458.0000000037010000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                        Source: recover.exe, 00000005.00000003.1197615165.0000000004D8A000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000005.00000003.1197664849.0000000004D9B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1171665568.000000003701C000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1208483916.00000000370B2000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1172566527.0000000037194000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1201129720.00000000374E3000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1170610457.0000000036F3A000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3337843458.0000000037010000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile read: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_6-33245
                        Source: unknownProcess created: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe "C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe"
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe "C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe"
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\qxzdfiuzuindcswlguzzrrhxv"
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\qxzdfiuzuindcswlguzzrrhxv"
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\arewgbnsqqfimgsxpembbwbgeusgg"
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ktrohtyueyxnpmgbypyuejwxfakphdhs"
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ktrohtyueyxnpmgbypyuejwxfakphdhs"
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ktrohtyueyxnpmgbypyuejwxfakphdhs"
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe "C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\qxzdfiuzuindcswlguzzrrhxv"Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\qxzdfiuzuindcswlguzzrrhxv"Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\arewgbnsqqfimgsxpembbwbgeusgg"Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ktrohtyueyxnpmgbypyuejwxfakphdhs"Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ktrohtyueyxnpmgbypyuejwxfakphdhs"Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ktrohtyueyxnpmgbypyuejwxfakphdhs"Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: shfolder.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: riched20.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: usp10.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: msls31.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: pstorec.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: pstorec.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile written: C:\Users\user\AppData\Local\Temp\immobilism\Sengeforliggerens66\Wynne\fremdragningers.iniJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                        Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1171665568.000000003701C000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1208483916.00000000370B2000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1172566527.0000000037194000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1201129720.00000000374E3000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1170610457.0000000036F3A000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3337843458.0000000037010000.00000040.10000000.00040000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1208630968.0000000037245000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1172669231.0000000036F3B000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1172864663.00000000373CE000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1207999854.0000000037305000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1201554819.0000000037481000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000003.1206899609.0000000037190000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 00000005.00000002.1198189554.0000000000400000.00000040.80000000.00040000.00000000.sdmp

                        Data Obfuscation

                        barindex
                        Yara detected GuLoader
                        Source: Yara matchFile source: 00000000.00000002.978201527.00000000090F8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 0_2_00406009 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406009
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 0_2_10002D40 push eax; ret 0_2_10002D6E
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_37092806 push ecx; ret 2_2_37092819
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00446B75 push ecx; ret 5_2_00446B85
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_00452BB4 push eax; ret 5_2_00452BC1
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044DDB0 push eax; ret 5_2_0044DDC4
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0044DDB0 push eax; ret 5_2_0044DDEC
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0044B090 push eax; ret 6_2_0044B0A4
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_0044B090 push eax; ret 6_2_0044B0CC
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00451D34 push eax; ret 6_2_00451D41
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00444E71 push ecx; ret 6_2_00444E81
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00414060 push eax; ret 9_2_00414074
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00414060 push eax; ret 9_2_0041409C
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00414039 push ecx; ret 9_2_00414049
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004164EB push 0000006Ah; retf 9_2_004165C4
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00416553 push 0000006Ah; retf 9_2_004165C4
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00416555 push 0000006Ah; retf 9_2_004165C4

                        Persistence and Installation Behavior

                        barindex
                        AI detected suspicious PE digital signature
                        Source: Initial sampleJoe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate (issuer same as subject) which is not trusted by system. 2) Organization 'afbindendes' is not a known legitimate company. 3) Email domain 'Titulary.Fiv' is highly suspicious and not a valid TLD. 4) Large time gap between compilation date (2014) and certificate creation (2024) suggests possible certificate manipulation. 5) Email username 'Hexachlorethane' is unusual and appears randomly generated. 6) While location claims US (Wyoming), the combination of suspicious elements suggests potential location spoofing. The certificate appears crafted to evade detection while lacking any legitimate organizational backing.
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: \re [urgent]sunny pharmtech questionnaire for the weight sorting machine supplier-inos.exe
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: \re [urgent]sunny pharmtech questionnaire for the weight sorting machine supplier-inos.exe
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: \re [urgent]sunny pharmtech questionnaire for the weight sorting machine supplier-inos.exe
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: \re [urgent]sunny pharmtech questionnaire for the weight sorting machine supplier-inos.exe
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: \re [urgent]sunny pharmtech questionnaire for the weight sorting machine supplier-inos.exe
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: \re [urgent]sunny pharmtech questionnaire for the weight sorting machine supplier-inos.exe
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: \re [urgent]sunny pharmtech questionnaire for the weight sorting machine supplier-inos.exe
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: \re [urgent]sunny pharmtech questionnaire for the weight sorting machine supplier-inos.exe
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: \re [urgent]sunny pharmtech questionnaire for the weight sorting machine supplier-inos.exeJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: \re [urgent]sunny pharmtech questionnaire for the weight sorting machine supplier-inos.exeJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: \re [urgent]sunny pharmtech questionnaire for the weight sorting machine supplier-inos.exeJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: \re [urgent]sunny pharmtech questionnaire for the weight sorting machine supplier-inos.exeJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: \re [urgent]sunny pharmtech questionnaire for the weight sorting machine supplier-inos.exeJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: \re [urgent]sunny pharmtech questionnaire for the weight sorting machine supplier-inos.exeJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: \re [urgent]sunny pharmtech questionnaire for the weight sorting machine supplier-inos.exeJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeFile created: C:\Users\user\AppData\Local\Temp\nsfCAD9.tmp\System.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_004047CB
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Switches to a custom stack to bypass stack traces
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeAPI/Special instruction interceptor: Address: 944EEF1
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeAPI/Special instruction interceptor: Address: 579EEF1
                        Tries to detect virtualization through RDTSC time measurements
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeRDTSC instruction interceptor: First address: 940D727 second address: 940D727 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, eax 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F3CC48CC5C0h 0x00000008 inc ebp 0x00000009 cmp edx, ecx 0x0000000b inc ebx 0x0000000c test ebx, 73D564A9h 0x00000012 rdtsc
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeRDTSC instruction interceptor: First address: 575D727 second address: 575D727 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, eax 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F3CC5257CC0h 0x00000008 inc ebp 0x00000009 cmp edx, ecx 0x0000000b inc ebx 0x0000000c test ebx, 73D564A9h 0x00000012 rdtsc
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,5_2_0040BAE3
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeWindow / User API: threadDelayed 370Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeWindow / User API: threadDelayed 9108Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeWindow / User API: foregroundWindowGot 1770Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsfCAD9.tmp\System.dllJump to dropped file
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeAPI coverage: 4.4 %
                        Source: C:\Windows\SysWOW64\recover.exeAPI coverage: 9.7 %
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe TID: 2040Thread sleep count: 262 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe TID: 2040Thread sleep time: -131000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe TID: 1400Thread sleep count: 370 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe TID: 1400Thread sleep time: -1110000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe TID: 1400Thread sleep count: 9108 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe TID: 1400Thread sleep time: -27324000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 0_2_00405FE2 FindFirstFileA,FindClose,0_2_00405FE2
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 0_2_0040559E CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040559E
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_00402645 FindFirstFileA,2_2_00402645
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_00405FE2 FindFirstFileA,FindClose,2_2_00405FE2
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_0040559E CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,2_2_0040559E
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_370910F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,2_2_370910F1
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_37096580 FindFirstFileExA,2_2_37096580
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0040B477 FindFirstFileW,FindNextFileW,5_2_0040B477
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,6_2_00407EF8
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00407898
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0041A8D8 memset,GetSystemInfo,5_2_0041A8D8
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3316905557.00000000066E8000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3316905557.0000000006749000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: bhv4E21.tmp.5.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeAPI call chain: ExitProcess graph end nodegraph_0-4338
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeAPI call chain: ExitProcess graph end nodegraph_0-4498
                        Source: C:\Windows\SysWOW64\recover.exeAPI call chain: ExitProcess graph end nodegraph_6-34123
                        Source: C:\Windows\SysWOW64\recover.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_37092639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_37092639
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 5_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,5_2_0040BAE3
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 0_2_00406009 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406009
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_37094AB4 mov eax, dword ptr fs:[00000030h]2_2_37094AB4
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_3709724E GetProcessHeap,2_2_3709724E
                        Source: C:\Windows\SysWOW64\recover.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_37092B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_37092B1C
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_37092639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_37092639
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_370960E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_370960E2

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Maps a DLL or memory area into another process
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
                        Sample uses process hollowing technique
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 31B9008Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 2AA9008Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 2A81008Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe "C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\qxzdfiuzuindcswlguzzrrhxv"Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\qxzdfiuzuindcswlguzzrrhxv"Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\arewgbnsqqfimgsxpembbwbgeusgg"Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ktrohtyueyxnpmgbypyuejwxfakphdhs"Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ktrohtyueyxnpmgbypyuejwxfakphdhs"Jump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ktrohtyueyxnpmgbypyuejwxfakphdhs"Jump to behavior
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3316905557.0000000006749000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3316905557.0000000006739000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3316905557.0000000006749000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager!
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3316905557.0000000006749000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerM
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3316905557.0000000006749000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3316905557.0000000006749000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager26a9e88
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3316905557.0000000006749000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager_
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3316905557.0000000006749000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNl
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3316905557.0000000006749000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager64
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3316905557.0000000006749000.00000004.00000020.00020000.00000000.sdmp, RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3316905557.000000000676A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                        Source: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe, 00000002.00000002.3316905557.0000000006721000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_37092933 cpuid 2_2_37092933
                        Source: C:\Windows\SysWOW64\recover.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 2_2_37092264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_37092264
                        Source: C:\Windows\SysWOW64\recover.exeCode function: 6_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,6_2_004082CD
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeCode function: 0_2_00405D00 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D00
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 00000002.00000002.3316905557.0000000006749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3316905557.000000000676A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3316905557.0000000006739000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3316212912.00000000063DF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1202560416.000000000676A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1201228262.000000000676A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe PID: 5960, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
                        Tries to steal Instant Messenger accounts or passwords
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                        Tries to steal Mail credentials (via file registry)
                        Source: C:\Windows\SysWOW64\recover.exeCode function: ESMTPPassword6_2_004033F0
                        Source: C:\Windows\SysWOW64\recover.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword6_2_00402DB3
                        Source: C:\Windows\SysWOW64\recover.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword6_2_00402DB3
                        Yara detected WebBrowserPassView password recovery tool
                        Source: Yara matchFile source: 2.3.RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe.36f3a1a0.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.3.RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe.36f3a1a0.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe.37010000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.3.RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe.36f3a1a0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.3.RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe.374e26a0.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe.37010000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000003.1171665568.000000003701C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1208483916.00000000370B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1201129720.00000000374E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1170610457.0000000036F3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1172566527.0000000037194000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1198189554.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3337843458.0000000037010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1172669231.0000000036F3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1208630968.0000000037245000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1201554819.0000000037481000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1172864663.00000000373CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1207999854.0000000037305000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1206899609.0000000037190000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe PID: 5960, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: recover.exe PID: 1204, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Detected Remcos RAT
                        Source: C:\Users\user\Desktop\RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VFJHJYJump to behavior
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 00000002.00000002.3316905557.0000000006749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3316905557.000000000676A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3316905557.0000000006739000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.3316212912.00000000063DF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1202560416.000000000676A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000003.1201228262.000000000676A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe PID: 5960, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                        Native API                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts1
                        Shared Modules                        		Boot or Logon Initialization Scripts1
                        Access Token Manipulation                        		2
                        Obfuscated Files or Information                        		11
                        Input Capture                        		1
                        Account Discovery                        		Remote Desktop Protocol1
                        Data from Local System                        		1
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts2
                        Command and Scripting Interpreter                        		Logon Script (Windows)312
                        Process Injection                        		1
                        DLL Side-Loading                        		2
                        Credentials in Registry                        		3
                        File and Directory Discovery                        		SMB/Windows Admin Shares1
                        Email Collection                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        Masquerading                        		1
                        Credentials In Files                        		228
                        System Information Discovery                        		Distributed Component Object Model11
                        Input Capture                        		1
                        Remote Access Software                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                        Virtualization/Sandbox Evasion                        		LSA Secrets241
                        Security Software Discovery                        		SSH2
                        Clipboard Data                        		2
                        Non-Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Access Token Manipulation                        		Cached Domain Credentials2
                        Virtualization/Sandbox Evasion                        		VNCGUI Input Capture12
                        Application Layer Protocol                        		Data Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items312
                        Process Injection                        		DCSync4
                        Process Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                        Application Window Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                        System Owner/User Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640367 Sample: RE [Urgent]Sunny Pharmtech ... Startdate: 17/03/2025 Architecture: WINDOWS Score: 100 29 geoplugin.net 2->29 45 Suricata IDS alerts for network traffic 2->45 47 Yara detected GuLoader 2->47 49 Yara detected Remcos RAT 2->49 51 6 other signatures 2->51 8 RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe 30 2->8         started        signatures3 process4 file5 25 C:\Users\user\AppData\Local\...\System.dll, PE32 8->25 dropped 11 RE [Urgent]Sunny Pharmtech Questionnaire for the Weight Sorting Machine supplier-INOS.exe 4 15 8->11         started        process6 dnsIp7 31 64.23.171.108, 2404, 49689, 49690 AFFINITY-FTLUS United States 11->31 33 192.159.99.27, 49688, 80 CYBERLYNKUS United Kingdom 11->33 35 geoplugin.net 178.237.33.50, 49691, 80 ATOM86-ASATOM86NL Netherlands 11->35 27 C:\ProgramData\remcos\logs.dat, data 11->27 dropped 53 Detected Remcos RAT 11->53 55 Writes to foreign memory regions 11->55 57 Maps a DLL or memory area into another process 11->57 59 2 other signatures 11->59 16 recover.exe 1 11->16         started        19 recover.exe 1 11->19         started        21 recover.exe 2 11->21         started        23 4 other processes 11->23 file8 signatures9 process10 signatures11 37 Tries to steal Instant Messenger accounts or passwords 16->37 39 Tries to harvest and steal browser information (history, passwords, etc) 16->39 41 Tries to steal Mail credentials (via file / registry access) 19->41 43 Tries to steal Mail credentials (via file registry) 23->43

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.