Windows Analysis Report
https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c2e8c3b1-63be-4a97-a3b9-a21649a6fcff

Overview

General Information

Sample URL:	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c2e8c3b1-63be-4a97-a3b9-a21649a6fcff
Analysis ID:	1434831
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Blob-based file download detected

Creates autostart registry keys with suspicious names

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses reg.exe to modify the Windows registry

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Yara detected Remcos RAT

Source: Yara match	File source: 0000000F.00000002.1830931760.0000000011C1A000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2321670119.0000000000828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0000000F.00000002.1830931760.0000000011C1A000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0000000F.00000002.1830931760.0000000011C1A000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2321670119.0000000000828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000F.00000002.1830931760.0000000011C1A000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Blob-based file download detected

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs.zip

File download: blob:https://acrobat.adobe.com/624009de-a0ea-41f9-8486-005a82fac626

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Mouhn" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\Lopeunt.dll",EntryPoint /f

Yara signature match

Source: 0000000F.00000002.1830931760.0000000011C1A000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.troj.expl.win@26/100@0/408

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2516:120:WilError_03
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-F7FEXS

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe

File created: C:\Users\user\AppData\Local\Temp\Memory.vbs

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c2e8c3b1-63be-4a97-a3b9-a21649a6fcff
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2008,i,17323186205499374693,2373595720086911851,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2008,i,17323186205499374693,2373595720086911851,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe "C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe"
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process created: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe "C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe"
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Mouhn" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\Lopeunt.dll",EntryPoint /f & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Mouhn" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\Lopeunt.dll",EntryPoint /f
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process created: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe "C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe"
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Mouhn" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\Lopeunt.dll",EntryPoint /f & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Mouhn" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\Lopeunt.dll",EntryPoint /f
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: g2m.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: secur32.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: wininet.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: avicap32.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: d3d9.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: samcli.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: logoncli.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: k7rn7l32.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: ntd3ll.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: wininet.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: edputil.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: policymanager.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: slc.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: sppc.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Windows\SysWOW64\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *Mouhn

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *Mouhn
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *Mouhn

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process created: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe "C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Mouhn" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\Lopeunt.dll",EntryPoint /f
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0000000F.00000002.1830931760.0000000011C1A000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2321670119.0000000000828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-F7FEXS

Yara detected Remcos RAT

Source: Yara match	File source: 0000000F.00000002.1830931760.0000000011C1A000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2321670119.0000000000828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.12.144.73	unknown	United States	20940	AKAMAI-ASN1EU	false
52.202.204.11	unknown	United States	14618	AMAZON-AESUS	false
23.12.144.79	unknown	United States	20940	AKAMAI-ASN1EU	false
23.199.63.234	unknown	United States	20940	AKAMAI-ASN1EU	false
18.235.168.50	unknown	United States	14618	AMAZON-AESUS	false
99.84.191.18	unknown	United States	16509	AMAZON-02US	false
142.251.167.102	unknown	United States	15169	GOOGLEUS	false
23.53.35.138	unknown	United States	20940	AKAMAI-ASN1EU	false
142.251.163.103	unknown	United States	15169	GOOGLEUS	false
172.64.155.61	unknown	United States	13335	CLOUDFLARENETUS	false
104.17.28.92	unknown	United States	13335	CLOUDFLARENETUS	false
63.140.39.130	unknown	United States	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
99.84.191.50	unknown	United States	16509	AMAZON-02US	false
54.144.73.197	unknown	United States	14618	AMAZON-AESUS	false
52.203.217.134	unknown	United States	14618	AMAZON-AESUS	false
52.85.132.79	unknown	United States	16509	AMAZON-02US	false
142.251.163.94	unknown	United States	15169	GOOGLEUS	false
172.253.62.102	unknown	United States	15169	GOOGLEUS	false
44.198.86.118	unknown	United States	14618	AMAZON-AESUS	false
23.22.254.206	unknown	United States	14618	AMAZON-AESUS	false
54.85.24.143	unknown	United States	14618	AMAZON-AESUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
63.140.38.112	unknown	United States	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
23.53.35.143	unknown	United States	20940	AKAMAI-ASN1EU	false
151.101.193.138	unknown	United States	54113	FASTLYUS	false
172.64.155.179	unknown	United States	13335	CLOUDFLARENETUS	false
23.45.233.9	unknown	United States	20940	AKAMAI-ASN1EU	false
23.62.230.208	unknown	United States	20940	AKAMAI-ASN1EU	false
23.221.241.54	unknown	United States	8612	TISCALI-IT	false
172.253.122.94	unknown	United States	15169	GOOGLEUS	false
104.17.27.92	unknown	United States	13335	CLOUDFLARENETUS	false
45.89.55.76	unknown	Russian Federation	44676	VMAGE-ASRU	false
99.84.191.62	unknown	United States	16509	AMAZON-02US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.66.0.163	unknown	United States	13335	CLOUDFLARENETUS	false
44.196.228.180	unknown	United States	14618	AMAZON-AESUS	false
99.86.229.79	unknown	United States	16509	AMAZON-02US	false
34.193.227.236	unknown	United States	14618	AMAZON-AESUS	false
52.71.63.230	unknown	United States	14618	AMAZON-AESUS	false
178.237.33.50	unknown	Netherlands	8455	ATOM86-ASATOM86NL	false
3.233.142.19	unknown	United States	14618	AMAZON-AESUS	false
172.253.115.84	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.17

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
about:blank	false	Avira URL Cloud: safe	low

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GO30WR0E\json[1].json	JSON data	E294354D8528EFF8B2AAE25FB8E27026	4B91A1DB0628F01F3B71B04F58632466ED6C90FF	A14689E9711BD63B8E48800CC1659BCC62754D41A7FDDEF4B11F10F00D0B2E2E
C:\Users\user\AppData\Local\Temp\Memory.vbs	Unicode text, UTF-8 text, with CRLF line terminators	F2423557341720EE37A3CA4160AB350D	DFF2F296535FA069DD29AD0860BB1D3CA61A1E37	82C1E03D1965F9EFB7597E8999CC8464D471BE14657D42362B4D6FFDB257D2D7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed May 1 16:55:17 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide	95BD5F15CEB17D6409C365E9B8496203	C5738D615810F6C8A9F5EDED57D7573C1AE37456	41586132A627EE2EBA2F569BBC474B13276D2746BEC0A6A816A60D9AA5537005
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed May 1 16:55:17 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide	D8E3C238D328029A402C18AC9D4F27F2	8F6CE6E6403C107471ADC115C03FC9FA4EAB8C8E	D8D4F98739B7CB81A4CB8C675E7AA6F9513414B6CC451C2E2CED6CA03CBB6D7E
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide	E95448CE26AF4F4F603A55E75E7DCD95	761145E3EC05E025F9E8A9487944948FFA33C457	56FF64F69149136DAE60DB119B65639C99F86311DE68CF5D169DA51D59EDF921
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed May 1 16:55:17 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide	779F1B91AD5E94DF452021A6D447C599	91EB7A68AA4B64651BFA32D8DAAC75A3943C5D30	898162D2E1F8F22E58110E021A929F4D6B15D75C042FDC17502B8B31B8C40ADA
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed May 1 16:55:17 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide	69855956E2A7A8B6DBE2315EC931B26E	C2229F2AA171A117C96D3B548CCB91CDF0C88E96	51510E24143AB323C0805CDEE4CA5C5CA85A2428503DCA65DD68A2128C6D2609
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed May 1 16:55:17 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide	0076DF366295184FF463C8D95A6EB25A	FC624A73689459E1BBDADACEBACEE7DC8554C14E	E07017BDEA2ABB05BA406AD98DECC82E59A20A16895C8532D9B4322FBA46F301
C:\Users\user\Downloads\7d8b6525-64af-4625-9808-a9f62d64684c.tmp	Zip archive data, at least v2.0 to extract, compression method=deflate	8C2CF0D4D8B2F165E53FFC7FD70EE4A3	F203D192F22DFCE2CC3FBAA9FECB5929F9C1A360	B4199C9696930DA8880F8DC82AD4534E31DA5368D281C53ECA211E5F94DE40A2
C:\Users\user\Downloads\Theresa 2023 Tax Docs.zip (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	8C2CF0D4D8B2F165E53FFC7FD70EE4A3	F203D192F22DFCE2CC3FBAA9FECB5929F9C1A360	B4199C9696930DA8880F8DC82AD4534E31DA5368D281C53ECA211E5F94DE40A2
C:\Users\user\Downloads\Theresa 2023 Tax Docs.zip.crdownload (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	8C2CF0D4D8B2F165E53FFC7FD70EE4A3	F203D192F22DFCE2CC3FBAA9FECB5929F9C1A360	B4199C9696930DA8880F8DC82AD4534E31DA5368D281C53ECA211E5F94DE40A2
Chrome Cache Entry: 187	ASCII text, with very long lines (9311)	05616E808988C14EEBB4984FE9364C64	4C5699E28D27295794B526D8E606F6CCE51CF2F7	FB6A1D4A46A4BA0F3ACF3C57DE19B77FA3ED0E7B0575E59F0C1FDD192207FA1F
Chrome Cache Entry: 188	PNG image data, 567 x 320, 8-bit colormap, non-interlaced	F68227AD12254266749AA4DF255640F8	1A898EC16DA08C56E0DE6D6AC32BD6CEE1617D18	E93A12D29304F18C4AAC73566161E9AEC0D097C4895C369B880DB07139EE13C3
Chrome Cache Entry: 189	HTML document, ASCII text, with very long lines (30834)	DDA84293E6948178057C10D92803F02D	5E7D4EB219C462BEC3E0FD576B62134D9117A245	724DA4DA32A46BA73AB695820C7B19DBE529016583B28275989794926C7F3A9B
Chrome Cache Entry: 190	Unicode text, UTF-8 text, with very long lines (65463)	CC35A5FFDF30E93B9156C07DEF8578E1	FFC327D80B4D82177567AD7A64795CD0BA4F583B	98292E3C02EF11CA4A66C9AB057D536DA76805C8DE99F38BC1808EF019375F3D
Chrome Cache Entry: 191	ASCII text, with very long lines (7577)	A14505DD97019A129F678D3576650BE0	FA95E06B3D5CE939A495221A5C47C17E70224963	C364869FB939DE1903CED5B43092878FD11A03FF4C0EE2CF9715401352A343C9
Chrome Cache Entry: 192	Unicode text, UTF-8 text, with very long lines (24641), with no line terminators	04A2EC68BC883EDB028F2727E5379808	5EBE223A7A40C855AACE143DD4B053CEBA4E80BD	7A580C19BFBF1A1BDC5F2EAD587334A007742E13B2009B6409E282935C3F9295
Chrome Cache Entry: 193	Unicode text, UTF-8 text, with very long lines (65467)	01F0DAAFE603B1CD88B47FDB0C70C33C	BEAAAD2ACA6AB7FFC09DE55D50518405E2C391CC	B8A4D31AC0B1E6260D77CC51A39FEED04551E3266BB86F2B644C7F4BAEA1577D
Chrome Cache Entry: 194	ASCII text, with very long lines (34857)	D22CDF960724509819C6744E61FD5BF9	37353FA9237CB1E3CDCBA37398C6F877A0A31B8F	8D342BFBE133223B5195A33D93BBF3FE4B00BDAAA6AFDF39429631FC6B19D7CB
Chrome Cache Entry: 195	ASCII text, with very long lines (64886)	F1502FAC113B15D77B859C2478D9B136	754D39451C9EEB8A596A4AA830CAE09C783AA3E5	772DEA74AC13E776173863433338891757EA037A87735668D4908BC4143F650B
Chrome Cache Entry: 196	JSON data	3E090E08D95EEECF3E3500335B6903AC	585145AD697A1D80A591D499A3391B3D508C88D7	803B67EA86C7F9DE8043372B7D0C585EC0C7E06479EE79AE4D149E17A1A7D737
Chrome Cache Entry: 197	MS Windows icon resource - 1 icon, 32x31, 32 bits/pixel	4A26FB17C70FAC7759F15343042B92C7	938635A39D4317DB4EADDCF656CBE1C076480B03	CA973938B04E790E78D7C1BB99A03082FAFBA976514E4D3FC6C4F1B16F525D90
Chrome Cache Entry: 198	ASCII text, with very long lines (17724)	AAB6377D0D1C802ECA65DA6DF1620918	1DE90B3D07923A633EB9B810EB842AD50547546E	A774BAFCF7455D21E94DC645E7EA8D9903E60FC21CEDE21B0511A2A22F5EB13E
Chrome Cache Entry: 199	ASCII text, with very long lines (56817), with no line terminators	3E49ABD556BF0FAAA6D165FE66146E90	7E265A832FD1D29F8402A251D921879E516038E3	D09069AC9ED675C69FF5C159CDA6F444A94085A1623F2AB91D6F4FB9F71E8879
Chrome Cache Entry: 200	ASCII text, with very long lines (65471)	8808193A57FE2A6612887520C16EEC36	F469995021145E38BE0BBEAD7A27B971A7F0CA3C	B1460F171C59A89931821EF65D402B28421F8AFF4D4B108D5773C49DDB547977
Chrome Cache Entry: 202	ASCII text, with very long lines (4557)	65B992FED2C7E849A349A8C195BF14F4	210472FF3A7DE182EB206A904D180C6CD4E119F6	07FD8D65CA2CAC79E3FD2A87165A70BC6507D5BDF93E3096F593392021798578
Chrome Cache Entry: 203	Unicode text, UTF-8 text, with very long lines (52252)	F1D54AD2B7D500534DD66068E12F5B28	6AF1D89BA3998D28DBF57634C968743F46AE36A1	1D978D9C87A501E5652761B05D4599B0D3DCBB029378C0D3B09A93A56C24A7A2
Chrome Cache Entry: 204	ASCII text, with very long lines (65536), with no line terminators	AE662337B8414ABB493E4E3667F0AB15	2B7D7E0E330D0BAC40CE281199DB9241D00E6368	2052CB6D713A1B447AA4675B846F557DB8DD3511D145CEB112AF80679B09CAF7
Chrome Cache Entry: 205	ASCII text, with very long lines (65469)	5A4E6864710A442EEE2A6EF59986250A	A021F113D88DBD487FE24906BB1A39CEDA623C72	0CBEEADB70E6E92FCD993D82C15557295BFD75FD200759DB163AB7CDC3BB0E58
Chrome Cache Entry: 206	ASCII text, with very long lines (65536), with no line terminators	438730BD7A95541C04E5721DC4CAE147	C63BED710932100D8B2FC343F8EEF329F12E0FCD	CC9EED98827224390C95C9B44A836ABB6D1694F210FABE28FB411F8F126D5E78
Chrome Cache Entry: 207	Unicode text, UTF-8 text, with very long lines (4112), with no line terminators	0469B2578169B1AC7C3E5C053DD41047	6828517F09D5C513D1F2EA552E3ED4CF69812708	531C647E2CB21D1CA4DD7FEFEEB7CA65DDC1C73F9747500B1ACE50C103E1E9E8
Chrome Cache Entry: 208	Unicode text, UTF-8 text, with very long lines (65468)	81D9AFCC8B6A7011ACBF5ADE1E9308AE	AF028BBEE4780787875C1AA3316A6ACBE5FDD49E	C7333057EC60E212ACEA6BAC3C2667A3885C1B0D9CB1F72360A3346117F9BB48
Chrome Cache Entry: 209	ASCII text, with very long lines (65469)	2C5EF44344EAA71279128443E2F39044	8EA6B93EFADDA2944EA4C5075B1B33E5A81C8073	B6CFCA4420ACC1258BB8C546D01B38E014C5A64C48E2E2F3510A27A8196F66F3
Chrome Cache Entry: 210	JSON data	CDD7A3CA40E28A36C01C6BF42E761142	A383642CC2DAFDD8CAE84576AEBEB71BA318E049	39A3E129FE972509880189EB29DB5BBF8C5DF9A2A9D9E39096DFC1EE2664FEF3
Chrome Cache Entry: 211	ASCII text, with very long lines (65536), with no line terminators	AD90691E0BE1EF33C9217C45B52052DD	C690A58B843A2AE9F2618DF696FE55460DD6E230	05F52C4AF7A42CDB474BDD244D4513B988EB031018DD80F997C29F30703FBF57
Chrome Cache Entry: 212	GIF image data, version 89a, 1 x 1	81144D75B3E69E9AA2FA3E9D83A64D03	F0FBC60B50EDF5B2A0B76E0AA0537B76BF346FFC	9B9265C69A5CC295D1AB0D04E0273B3677DB1A6216CE2CCF4EFC8C277ED84B39
Chrome Cache Entry: 213	Unicode text, UTF-8 text, with very long lines (59145), with no line terminators	9BC586E2A6AD4EE5E4463DB3C08CA7A0	43503F22E47A2D2A8A56D30DEFC4D5DAEC9EF513	26FAFCF85DA1EC7A6CDE904BE18A6F83D813F38128607A97AA4E5CAB9B1A459B
Chrome Cache Entry: 214	ASCII text, with very long lines (29715)	4BAD83408D238976D6A8EAA5C1534091	91E44C818D907199ACFE13423FC8A562491ABBB8	FB54EE5F77F197FC062E0B64531259D68BD0ECA0FFC7506229A1653CE4378DDD
Chrome Cache Entry: 215	ASCII text, with very long lines (2702)	7F3108510F7940CDEEB90D360AF50CD4	9A3FC7D3DC42845B5281DD8927F31C1EF3E6C2A5	92F896D26B82DE8C0912FA8562CA7D21C7D6496822B354A37F06C4CF53C27BE8
Chrome Cache Entry: 216	Unicode text, UTF-8 text, with very long lines (61156)	86619F47BBD99466E782F9441B4E0269	E0D9D0A2AB465B4354E0BA7CA305D3C8C6CB289B	A32B76D5BC417C7F87ABA59B0A92190FF784D1ED95C713DA45FEA966A5BD8E82
Chrome Cache Entry: 217	ASCII text, with very long lines (65536), with no line terminators	445FE36F6472F9F8307FC6A2CFB3B4E4	64501B7E086D0DAF1BA4B0BCD78CA5D8ACCE0A06	20A3AA1C308188F4B2F12C60805ED0F96E8D535923A1EF3CF10AB3EF78BE8FE8
Chrome Cache Entry: 219	ASCII text, with very long lines (65536), with no line terminators	401A085DAF469075D7D14659F7D3CE0E	415A2E3D83BE2696CC7EC147AE109B651F1119A6	E3FFA71CD501F9A1352A1CD7C5653ABB51538D47826FF18FD628361153DD73DB
Chrome Cache Entry: 220	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	82C01E70A7FF19468BAD984CC87E90CD	0E7848947B29FB6BF6E4AC58A68FD685A5DFBAB5	D0D536F99F92C69E893149B42F3D45BD369475DFDBFB6843E1DCCE3C5558B091
Chrome Cache Entry: 221	Web Open Font Format (Version 2), CFF, length 38004, version 1.0	8D3C19E4ECCD8530EFC9E39326E0FC52	083F5A3B3161541E62CE4002D9FD1731FCA640D2	5961262FD0CD492D39005E866EF7496F7DD4779EBD615A0FC5ADE35D4EEB8030
Chrome Cache Entry: 222	Unicode text, UTF-8 text, with very long lines (65535), with no line terminators	EBD21AB653A7144C876A1A8F3AC0C3E8	D09B01CC230EA0E378431338400C0E9ED35EEE3A	1E89664B70B05A5A6908B56B4B5CEC6E1B8C9F2C0348F27428CA657161B6993D
Chrome Cache Entry: 223	Web Open Font Format (Version 2), CFF, length 36388, version 1.0	B2FE0D9753FE193A7965B201CCEB9547	5F2D96F6BFD11797A53E9A2832CA5A2F53211556	A4DF96CBF8E2CAA44973A92CC15757C900EFC169039CE07E36F4E0FBC86B0216
Chrome Cache Entry: 224	ASCII text, with very long lines (65536), with no line terminators	3719292B8E02345101424CE47255B605	EF352D5231C528C76D0498800242FE86B4BE95E1	5FB9B8D473879B609ACB2237D43497E5F3732275871FE53DF77384CDF057DF65
Chrome Cache Entry: 225	ASCII text, with very long lines (12488)	BEAB5225A8663804A13E85F063BF69C2	9587F9F1D78665C9BF2CA0B61903199FD73D889D	2A04C8E6D27FA6FEF61D44551BE3CB90E64C3ADC0613F9E40AB4650AC326A6D0
Chrome Cache Entry: 226	JSON data	E78AAE29253C4894EF77C2263DF2AF0E	F4BB400456EB30EB1D131549B777F405CCC1D348	599A201A8BCF34F862C99ED2109D9DAB8083C751FA16AA2EE87382FDAC0E1042
Chrome Cache Entry: 227	ASCII text	A8F31907CAE1CFE6508E91681726D9AA	145175C780ECDB6BF673DF3C0C0B0DC86C00A3E9	CAB13851A06215CD7ADC3251C7BB0F8CEE2BAE4FC160FE4DA20573C3B1063575
Chrome Cache Entry: 228	troff or preprocessor input, ASCII text, with very long lines (7656)	CA344841298EEDD995DB0268E6DAE183	31057C6C81ADEFA4796A7931AAA48553C5C09ABA	11F0D5166D3992C0FB0FDEF41A0A943C8BCF1FF631306C9A2330FF476D62ADF5
Chrome Cache Entry: 229	ASCII text, with very long lines (65458)	1EA514B9E5C7EE2629C4CA4F5EBD0150	E29E2620819C9ADE643BEEB04A1D232F401F5732	8CE78ED2B6AB2A332768ED925E9AB53D35D9E989E02050A98ECC20E8D09FF4BD
Chrome Cache Entry: 231	Unicode text, UTF-8 text, with very long lines (65378), with no line terminators	E944B2E2EE1D5BE4FA749EFBEB84817E	30D6780041DA031839B9294D71FD524F44A372B3	1374C80D4579FEBF29F71AD3B62473CF532E0F32C81D0D2AF3CA0EB4D9F91578
Chrome Cache Entry: 232	Unicode text, UTF-8 text, with very long lines (55072)	4DD04062EF449C113DE9536573F87393	B29E9256596E21E3ADC69221B465E40D5F3EF80F	50C8F26607BD07CB1379D0AD03E984952A4B0D3F6B33BBE5704527D966D01C91
Chrome Cache Entry: 233	ASCII text, with very long lines (65459), with escape sequences	F1C0199D1F1D04BD79224A3883BCEF3C	71CD8CC1016BF680700373198A3DECC7EE2E12E3	C3B3386489FCEEAED9D3E88D3C96890F9F5F7CA7119AE96C6C0E407A932FE518
Chrome Cache Entry: 234	ASCII text, with very long lines (65536), with no line terminators	49FDA27918FB2154DD63539A900DB4ED	89F9E57159BF5C30FF48A9353578F57AACD6CBFB	D4766EE6C6F3D020B3205E1BDAC11FE0DBCF2BBAB3B2D14CDE88074F2B68CE8D
Chrome Cache Entry: 235	ASCII text	03DB7A20C614CC6FE830EDD353B44904	A0883E893D819D325B9DFDA19F84D98C74BB90B6	CFC32A2207E7DCE665E2A6C8CE5C8AE5E3C83AA2BB2184277CE2F39E6838D597
Chrome Cache Entry: 236	PNG image data, 567 x 320, 8-bit colormap, non-interlaced	D35D9AD7A044121ADBA1407BA81D8D86	A520AFFC9EFFD5128B7B9BBCF1DCA7FD1D5FA914	B9995DE4418ECDA54965D1B84A65111A34DAA1F558F247BE8B95043A3A02C0CC
Chrome Cache Entry: 237	ASCII text, with very long lines (65536), with no line terminators	11382592A9015A8A3552BFECF6AE7A5C	4496D584C1CE97D39170A01CA7D65CEC64748F81	D216FEDE3A5D3D972945DA16A52E4E1863000BBD9555E84795D61E7119BD91DB
Chrome Cache Entry: 238	ASCII text, with no line terminators	A0003C5128AD84191667AA0B2833239E	0584760ADF11233DBAEF33B6297824690C606612	51BF71694918D0C20F16C5250CD883D0189DCAB32582245219EE2BFA80721C31
Chrome Cache Entry: 239	JSON data	F679C1229BF227A59798784C27DFE281	A126BEA66490A451B6343C31F31E68382544FC07	F16330E0E551D630FC6D48C83B34FFC4B6A723018890EBDE87C6AAE15CDC4F43
Chrome Cache Entry: 240	ASCII text, with very long lines (25528)	50693BDD5997F38C9F24FCABC7A7D6B4	47D6D476A248D57A5BC53596DFD4118E73D12315	2E7347BD752F9574CD766A969FB07EF3845084E6648F35F3A6C360106A22B9CC
Chrome Cache Entry: 241	ASCII text, with very long lines (65471)	67C8711A16E924AF88387137F47F6BD3	D77C7E18A3A152E0A116BA8E39B85EEDF773A9EE	9C95EFC8BD1339AB9FF987B5F1E41A2836B3C15658EF0A2E65FB96F3CDDE4B1E
Chrome Cache Entry: 242	Web Open Font Format (Version 2), CFF, length 39260, version 1.0	35234F8ADC394C536031C99D7AC8484F	12EBFA0153118FAB8664C3B8EF696B64F4EA8EB5	E024FB3F5D381FE02FA0BC243DC557D5DAFF401F1B89220EBDFDA89D5F99D207
Chrome Cache Entry: 243	Unicode text, UTF-8 text, with very long lines (65502), with no line terminators	6B246F5ECCC402432B1136C70122EF2C	4ACC3217E2251E0C3DAFC93E308035A9741E67C9	FF3507E6486D3C3E789A547E0AAF8788D9C9726A111BBBD891EC173B2782543C
Chrome Cache Entry: 244	JSON data	6194F3855050E2CA9FAEEC89DCE2BD62	6EEF6E66AED89E3F3071BBE28ED31DC2F18093AF	7065DCDC949E26A300EA566A13991BB182E8B51F6BD2916C5ECDDDEB8D8882CB
Chrome Cache Entry: 245	ASCII text, with very long lines (20972)	C70A6B1A37B3726DDF18AC9CC6518147	5C7B3C1911FFFD3EE08FF184B27B7343DB1A61C1	59DEB65759511BBBF2AB9BF921ECC46458052074C6260D7B77887383D8444B81
Chrome Cache Entry: 246	Unicode text, UTF-8 text, with very long lines (24858), with no line terminators	A97960E5A6746472EB9DCC2FFD952255	5B1316C1BA38E08E2AB5FA37DA6B3100B048098D	F73D64A911762E130B2A92E3DCB0CAE1AC2264437505C766579BB00636DC772D
Chrome Cache Entry: 247	Web Open Font Format (Version 2), CFF, length 38708, version 1.0	9B7DF6DE861255C8E82EF093D507D3DD	BD72B5EABBDCE88F1701A76E1469744D85CE663F	4B6A2E9B5AE1532E496A30FF9680B75A554CBE0785B4B12BEABD729477869C22
Chrome Cache Entry: 251	ASCII text, with very long lines (6132)	6C7677C264BFAB888A739A8E87EC4792	EC40EF7190587C5FD9CE2809B755AB5B030A18B0	08DBA4A4FA623C3AFEA11307A6CBF0B375611A6B281865FA25B817708787CF56
Chrome Cache Entry: 252	JSON data	D41C44102E36F8DFA77FC7783421B2B1	1186D33247D4250492F27D953779D715E5B9E32A	414597B5694B2B743634B2913BC22E0FF27AD7A6F636085F971C55123DA42963
Chrome Cache Entry: 253	ASCII text, with very long lines (16355)	DFF189E880C4E2F5325CA196BF36798C	BA4B45A0C38A691D2C3CA42AE9F69464B77F0E66	8D00C332E0EB5700C72C8847AAB09EBA2C0C85860049DCF044BA5D6840EAF7FA
Chrome Cache Entry: 254	ASCII text, with very long lines (10418)	EA1846A0DF216C41FABD5160169E99AD	5C2EBE75B3EA9CB577A982C42374BA6FDB058B96	8B91183A5F0D8878894E43F19B879689C6E03ADC1296608070E2652CADEF306C
Chrome Cache Entry: 255	ASCII text, with very long lines (15446)	70A6359D4A7979FB5A703CD22AA2BEF1	54F87F633E143B07F6299FD7DC90B7773E1FC5E9	5521FEA334C99827F975ED1C3C563CFD58C7B816FEDF1C0EEAA24DA98C328C3D
Chrome Cache Entry: 257	ASCII text, with very long lines (7923)	55EABD1420D797A627E1AA2D22B72861	0BA6CAF4A4FC0655D796392FA2C0BD293C989511	957A208E759350BBA5DE1D854E6B1B43B02D95D37414FD1BC86D8109DC76A78F
Chrome Cache Entry: 258	Unicode text, UTF-8 text, with very long lines (65457)	FC4770A39DEC2A48ED24C5F1395379F5	C15B28F7B8DD936C4FC2312B814797B8F86C7F44	B0F81A29B846C733F2A2D0170832A1ECCC2FBB5EE9BC3E6CD0355FD8B8A56E4C
Chrome Cache Entry: 259	ASCII text, with very long lines (59164)	6C00CC59CB6F12C8C5AB0D1DC29BA9DC	1A21FC8BABDB37575ABD21E3312BA9110F86C940	BFD00D1568F9A338956506B2E12A367D02B91379DE6E6F3F91F315831976923C
Chrome Cache Entry: 260	ASCII text, with very long lines (31583)	0AFC8C3F5C7FFCFDBF76822E073274CA	FCD749C951C907E2456FA577B89A4EAB54D431B2	7553CB516EA5288AC03CBED31516277263D56AAEA7FE36E1B3D11D50C7E5BC89
Chrome Cache Entry: 262	JSON data	AD4CF40F1CD438B984F3E98CA6C7C3D9	0B770C1805211562D0C549A177D7B0AE07B94E41	DD70B72768BC3D5CFCCB22CDCFBEC4046D24E19B11DE716621F6B988BBD164E3
Chrome Cache Entry: 263	ASCII text, with very long lines (65536), with no line terminators	8D7937B4E2A84255CDA8AF1AB85C2530	D11C25597F6C93BD288D6E94C4CEB61CCBF5493E	D9FE1F3B67D1CCDB83D78FE93C81A3961278B277D0007DC7ECD0A2A830C5B616
Chrome Cache Entry: 264	Unicode text, UTF-8 text, with very long lines (48156), with no line terminators	C53BF4BD97AF4007A11A8A2AD296B69D	1CE90086B206C4A146DD788D008D5EC507BA3E13	C63248B1172D0FCCD15B4915E1233532F84DC4E23DC7716091AC889BCDCBB44B
Chrome Cache Entry: 265	PNG image data, 567 x 320, 8-bit colormap, non-interlaced	06968C7FFD45D571E14F3424302B121F	097FF33BF0A8055BCD8C97E2CAC8C94180FE058B	4E747D58ED0F8E71D07110460B1CB77A083723BEAA980FA4B6AC4EB7A30004E4
Chrome Cache Entry: 267	ASCII text, with very long lines (13451)	1ABB7EA172F81EA0A6F45090C7A4405F	6FA3FB56A3BF49401F58023E1B731E08FF8E52CC	9BD710DD0B9EF2EC987FF7C8691AB802B527BB6ADD1AAD92066CB16FC9AAF29E
Chrome Cache Entry: 268	PNG image data, 567 x 320, 8-bit colormap, non-interlaced	5B8C30495BD157C377BEC29396AEE6F3	8D0C06676BB602D55A6133A0C9966794E5EACF75	63CB5314DB63D5CD2F24DA33EF66506B438933D4CE0ACAD9299AA88985D55917
Chrome Cache Entry: 269	ASCII text, with very long lines (28278)	42DF9A5567C3C99560A1CCC28DF62476	340F211624B18E5BA8992A3E3145A87DA14E556E	98EDDB8C9A965F96BD1518CC4547969C643D39AAA113A77A798828D742875911
Chrome Cache Entry: 270	Unicode text, UTF-8 text, with very long lines (46054)	D434AEB9C3FCC6F07AF3C9D58215B161	6879AFE50C726B10FDB329D26F3D0EA2773A6802	F90D877ED47C4E333A6611099BAEC7DD971234B010F7DFCEF0F810FD787026DD
Chrome Cache Entry: 272	WebAssembly (wasm) binary module version 0x1 (MVP)	2A0E08B081088EC70E11860E695E26B9	616483F12CD95073DEB0876705E4F2AC33D4598F	04136E0CCFBFB46B3054383232694E227F0DED4B5E1D240B54D5ACC09B17A20A
Chrome Cache Entry: 273	ASCII text, with very long lines (65469)	B8457FF3F55DB60CCFD68196F4234C2C	64946E75D44922E1C01B5C0FBEC41C6D8D95788B	5BA73BDEC1F63CAB364D2A055A08D2774C7E95041FBEEB065E206DEC76808FDC
Chrome Cache Entry: 275	ASCII text, with very long lines (5906)	7F138CE1679B288CBF0DA64964D26EA7	BFFCF2F654E8C728A5AC472522E79964B63C4FDD	0F10B2C3E61121B99A186D14F9503C153B265C05191B5A57A616BED8FAFF1BAE
Chrome Cache Entry: 276	ASCII text, with very long lines (65536), with no line terminators	D43FE6091A3941A06CAFC8AFDCE0409F	BD6908B07BE925843AC566205576E5D9F17EEDDC	A835A1385C7C3B174CAFA211E0ECC90E7CFFF6E35C52175D4AF2BE978AD4CF2C
Chrome Cache Entry: 277	Unicode text, UTF-8 text, with very long lines (2369)	CFE609917C9E7D4EED2C80563DED171B	2E5BBD88B040662BF8023FD6A9D55CC760008695	AD84B43FFD121E46AC4D2FA817B5863E4802C523BC3FB5E864DB28B3DB0E2514
Chrome Cache Entry: 278	Unicode text, UTF-8 text, with very long lines (21770), with no line terminators	FC98C17249AA75B0593C4357E552DD92	930C72C7C5065F99609642104F2B43D3CE69D487	BCF6959324A08A48C5B94A321F6BA97B8FD5F44496A5B12A23F29A156560D20A
Chrome Cache Entry: 279	Web Open Font Format (Version 2), CFF, length 38976, version 1.0	3DC8E6938118F5FA1AF3E7A5A98BAA66	03CD9EE2CD0B7CD881FA75FF4A7369E68BD2154A	3D75BB0A01BC2FD0E963F6879634C371B205CA4DA67021B0F453592337DCC001
Chrome Cache Entry: 280	PNG image data, 567 x 320, 8-bit colormap, non-interlaced	022196D638C79559AB13292F2B267965	7A24B486AAD59342DAEDE8CEAAF36FF71D89DB86	10F169559D0032D5881637DA7DB08F205F6505E3FF7FE3BB34BFA93B44063B90
Chrome Cache Entry: 282	HTML document, Unicode text, UTF-8 text, with very long lines (477)	C4FAE49271A918C2AC763B90C5376F18	8D59008924DC85437490D5A223FEB5DDBCC669D6	15D373F0C2E0AC3927CEF7B8C9931666458D02FD22192B01ECA9158D787FC594
Chrome Cache Entry: 283	ASCII text, with very long lines (65536), with no line terminators	D76FCE600B30DC3691CBD27EB3568517	14C69FE241CFE09CE3939DDA0113BC1F75764AD3	2C02A64BCAD91EFEB37A04EEE5454C6A598CFC6CCFAA6F704B3D579457B0FB79
Chrome Cache Entry: 284	JSON data	52AF82DD94FCDC5E3E46A2CDF457FD56	6F195B5B9682599FE023F8F6118597560584067F	7C5970386C318C85B56AC39FF3331B7B841599B0184F7E5DD9782B3FF4EF4502
Chrome Cache Entry: 285	ASCII text, with very long lines (29243)	3E658E6DDBB6116C9FBC0B63E3FD913C	B97FE3642B268FE2C6C3586DFB5B0EA71264AA6B	9A7ECDE4537999AEEDF0592CFBF288D605CF3123B14362372D13A7418BD9A8CE
Chrome Cache Entry: 286	ASCII text, with very long lines (18357)	AAA07CE5DE984B193324F90E900BC932	6D5E90266FEF7DDF4F834596C11FCC05F4841821	E47AEBCC43D27C9D418644BFF649BC45E867AE545C3B98AF8B0B74DF1954AE7A
Chrome Cache Entry: 287	Web Open Font Format (Version 2), CFF, length 38948, version 1.0	8CF9CE13F6FE0205F4EAAC49FA17B681	2CEF6CD00A2D4A5CD5E0AB6F00042A70F1B73756	85257E2624BBB138582821CEB2F8B18C7B4FB43D26C1BCBFD5155CA81B55CC69
Chrome Cache Entry: 288	HTML document, ASCII text, with very long lines (7357), with no line terminators	8121E8EE50866B1E7AADA5B74842321F	7BDB37B3CCAB6CD97EF0D671C3D258DA0846384C	D42121B89AE8BEEA781B52445D7DF87C095EFE568DD9E03234E1B8F7EB48379A
Chrome Cache Entry: 289	ASCII text, with very long lines (43430)	8F312C92AE7E983F8CFF6B3AFD150A4E	2A392A83E7F758E9937EAD52540194F1904E3FF6	A370D415322B17ABF11EDDF42DDE9D7CAE88885FA135F24E1BBA7A2FDE976373

AV Detection

Yara detected Remcos RAT

Source: Yara match	File source: 0000000F.00000002.1830931760.0000000011C1A000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2321670119.0000000000828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0000000F.00000002.1830931760.0000000011C1A000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0000000F.00000002.1830931760.0000000011C1A000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2321670119.0000000000828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000F.00000002.1830931760.0000000011C1A000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Blob-based file download detected

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs.zip

File download: blob:https://acrobat.adobe.com/624009de-a0ea-41f9-8486-005a82fac626

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Yara signature match

Source: 0000000F.00000002.1830931760.0000000011C1A000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.troj.expl.win@26/100@0/408

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2516:120:WilError_03
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-F7FEXS

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe

File created: C:\Users\user\AppData\Local\Temp\Memory.vbs

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c2e8c3b1-63be-4a97-a3b9-a21649a6fcff
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2008,i,17323186205499374693,2373595720086911851,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2008,i,17323186205499374693,2373595720086911851,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe "C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe"
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process created: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe "C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe"
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Mouhn" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\Lopeunt.dll",EntryPoint /f & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Mouhn" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\Lopeunt.dll",EntryPoint /f
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process created: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe "C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe"
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Mouhn" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\Lopeunt.dll",EntryPoint /f & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Mouhn" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\Lopeunt.dll",EntryPoint /f
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: g2m.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: secur32.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: wininet.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: avicap32.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: d3d9.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: samcli.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: logoncli.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: k7rn7l32.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: ntd3ll.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: wininet.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: edputil.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: policymanager.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: slc.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: sppc.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Windows\SysWOW64\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *Mouhn

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *Mouhn
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *Mouhn

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process created: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe "C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Mouhn" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\Lopeunt.dll",EntryPoint /f
Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Memory.vbs"

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0000000F.00000002.1830931760.0000000011C1A000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2321670119.0000000000828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Downloads\Theresa 2023 Tax Docs\Theresa 2023 Tax Docs\2023 Tax Organizer.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-F7FEXS

Yara detected Remcos RAT

Source: Yara match	File source: 0000000F.00000002.1830931760.0000000011C1A000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1801346545.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2321670119.0000000000828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

ID:	1434831
Product:	CloudBasic
Start time:	19:54:46
Start date:	01.05.2024
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Windows Analysis Report
https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c2e8c3b1-63be-4a97-a3b9-a21649a6fcff

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Exploits

E-Banking Fraud

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c2e8c3b1-63be-4a97-a3b9-a21649a6fcff

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Exploits

E-Banking Fraud

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report
https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c2e8c3b1-63be-4a97-a3b9-a21649a6fcff

Malware Threat Intel
Provided by