Loading ...

Play interactive tourEdit tour

Analysis Report DHL 2723 382830 RECIBO, PDF.EXE

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:227217
Start date:04.05.2020
Start time:11:18:21
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 50s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:DHL 2723 382830 RECIBO, PDF.EXE
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:26
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.troj.spyw.evad.winEXE@37/77@191/0
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:
  • Successful, ratio: 33.1% (good quality ratio 22.4%)
  • Quality average: 48.5%
  • Quality standard deviation: 39.7%
HCA Information:
  • Successful, ratio: 89%
  • Number of executed functions: 369
  • Number of non-executed functions: 182
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .EXE
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Excluded IPs from analysis (whitelisted): 2.18.68.82, 205.185.216.10, 205.185.216.42
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
  • Execution Graph export aborted for target InstallUtil.exe, PID 2072 because it is empty
  • Execution Graph export aborted for target InstallUtil.exe, PID 3240 because it is empty
  • Execution Graph export aborted for target InstallUtil.exe, PID 4844 because it is empty
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Remcos
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting11Registry Run Keys / Startup Folder1Access Token Manipulation1Software Packing1Credential Dumping1System Time Discovery1Remote File Copy11Screen Capture1Data Encrypted1Remote File Copy11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaExecution through API1Scheduled Task1Process Injection422Disabling Security Tools1Credentials in Files2Account Discovery1Remote ServicesInput Capture211Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDefacement1
External Remote ServicesGraphical User Interface1Modify Existing Service1Scheduled Task1Deobfuscate/Decode Files or Information1Input Capture211Security Software Discovery21Windows Remote ManagementClipboard Data2Automated ExfiltrationRemote Access Tools1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseCommand-Line Interface1Application Shimming1Application Shimming1Scripting11Credentials in FilesSystem Service Discovery1Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationService Execution2New Service1New Service1Obfuscated Files or Information2Account ManipulationFile and Directory Discovery3Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkScheduled Task1Modify Existing ServiceNew ServiceMasquerading1Brute ForceSystem Information Discovery43Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskVirtualization/Sandbox Evasion2Two-Factor Authentication InterceptionVirtualization/Sandbox Evasion2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryProcess Discovery3Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection422Input PromptSystem Owner/User Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainRemote System Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeVirustotal: Detection: 73%Perma Link
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\tQVctBZDKZIa.exeVirustotal: Detection: 73%Perma Link
Source: C:\Users\user\AppData\Roaming\tQVctBZDKZIa.exeReversingLabs: Detection: 83%
Multi AV Scanner detection for submitted fileShow sources
Source: DHL 2723 382830 RECIBO, PDF.EXEVirustotal: Detection: 73%Perma Link
Source: DHL 2723 382830 RECIBO, PDF.EXEReversingLabs: Detection: 83%
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000014.00000002.832798090.0000000003A6F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.797873729.0000000002622000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000C.00000002.1465232470.00000000076D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.803500069.00000000066F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.805369809.0000000003EB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.780021957.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000018.00000002.865802143.0000000004400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 484, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2072, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4844, type: MEMORY
Source: Yara matchFile source: Process Memory Space: DHL 2723 382830 RECIBO, PDF.EXE PID: 1216, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4484, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3240, type: MEMORY
Source: Yara matchFile source: 6.2.DHL 2723 382830 RECIBO, PDF.EXE.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 6.2.DHL 2723 382830 RECIBO, PDF.EXE.400000.0.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 6.2.DHL 2723 382830 RECIBO, PDF.EXE.400000.0.unpackAvira: Label: BDS/Backdoor.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_0040740F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,6_2_0040740F
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_004104E0 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr6_2_004104E0
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_00407183 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,6_2_00407183
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_00404648 _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,#23,#4,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_s6_2_00404648
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_004126D3 wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,6_2_004126D3
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_00404AD4 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,6_2_00404AD4
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_00403315 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,6_2_00403315
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_00403B9A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$cha6_2_00403B9A

Networking:

barindex
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: onyeomam2020.ddns.net
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_0040D427 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,6_2_0040D427
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: onyeomam2020.ddns.net
Urls found in memory or binary dataShow sources
Source: InstallUtil.exe, 00000018.00000002.859576953.0000000001321000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.
Source: InstallUtil.exe, 00000018.00000002.859576953.0000000001321000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to capture and log keystrokesShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: [Esc] 6_2_00405DA6
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: [Enter] 6_2_00405DA6
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: [Tab] 6_2_00405DA6
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: [Down] 6_2_00405DA6
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: [Right] 6_2_00405DA6
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: [Up] 6_2_00405DA6
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: [Left] 6_2_00405DA6
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: [End] 6_2_00405DA6
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: [F2] 6_2_00405DA6
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: [F1] 6_2_00405DA6
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: [Del] 6_2_00405DA6
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: [Del] 6_2_00405DA6
Contains functionality to register a low level keyboard hookShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_004051C9 SetWindowsHookExA 0000000D,004051AE,00000000,000000006_2_004051C9
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait6_2_0040D1E8
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait6_2_0040D1E8
Contains functionality to record screenshotsShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_0040F460 Sleep,CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,DeleteDC,DeleteDC,DeleteDC,DeleteObject,SelectObject,DeleteDC,DeleteDC,DeleteDC,DeleteObject,StretchBlt,DeleteDC,DeleteDC,DeleteDC,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,DrawIcon,GetObjectA,DeleteDC,DeleteDC,DeleteDC,DeleteObject,LocalAlloc,GlobalAlloc,DeleteDC,DeleteDC,DeleteDC,DeleteObject,GetDIBits,DeleteDC,DeleteDC,DeleteDC,DeleteObject,GlobalFree,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,DeleteObject,GlobalFree,DeleteDC,DeleteDC,DeleteDC,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,6_2_0040F460
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_00405221 GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,6_2_00405221

E-Banking Fraud:

barindex
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000014.00000002.832798090.0000000003A6F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.797873729.0000000002622000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000C.00000002.1465232470.00000000076D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.803500069.00000000066F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.805369809.0000000003EB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.780021957.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000018.00000002.865802143.0000000004400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 484, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2072, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4844, type: MEMORY
Source: Yara matchFile source: Process Memory Space: DHL 2723 382830 RECIBO, PDF.EXE PID: 1216, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4484, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3240, type: MEMORY
Source: Yara matchFile source: 6.2.DHL 2723 382830 RECIBO, PDF.EXE.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 6.2.DHL 2723 382830 RECIBO, PDF.EXE.400000.0.unpack, type: UNPACKEDPE

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionalty to change the wallpaperShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_00412EE3 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,SystemParametersInfoW,6_2_00412EE3

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000006.00000002.780021957.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000006.00000002.780021957.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 6.2.DHL 2723 382830 RECIBO, PDF.EXE.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.DHL 2723 382830 RECIBO, PDF.EXE.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 6.2.DHL 2723 382830 RECIBO, PDF.EXE.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.DHL 2723 382830 RECIBO, PDF.EXE.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
.NET source code contains very large stringsShow sources
Source: DHL 2723 382830 RECIBO, PDF.EXE, u206c????????????????????????????????????????.csLong String: Length: 105736
Source: 0.2.DHL 2723 382830 RECIBO, PDF.EXE.1b0000.0.unpack, u206c????????????????????????????????????????.csLong String: Length: 105736
Source: 0.0.DHL 2723 382830 RECIBO, PDF.EXE.1b0000.0.unpack, u206c????????????????????????????????????????.csLong String: Length: 105736
Source: tQVctBZDKZIa.exe.2.dr, u206c????????????????????????????????????????.csLong String: Length: 105736
Source: 2.2.InstallUtil.exe.4890000.2.unpack, u206c????????????????????????????????????????.csLong String: Length: 105736
Source: remcos.exe.6.dr, u206c????????????????????????????????????????.csLong String: Length: 105736
Source: 6.2.DHL 2723 382830 RECIBO, PDF.EXE.b80000.1.unpack, u206c????????????????????????????????????????.csLong String: Length: 105736
Source: 6.0.DHL 2723 382830 RECIBO, PDF.EXE.b80000.0.unpack, u206c????????????????????????????????????????.csLong String: Length: 105736
Source: 10.2.remcos.exe.400000.0.unpack, u206c????????????????????????????????????????.csLong String: Length: 105736
Source: 11.2.DHL 2723 382830 RECIBO, PDF.EXE.130000.0.unpack, u206c????????????????????????????????????????.csLong String: Length: 105736
Source: 11.0.DHL 2723 382830 RECIBO, PDF.EXE.130000.0.unpack, u206c????????????????????????????????????????.csLong String: Length: 105736
Source: 12.2.InstallUtil.exe.57c0000.2.unpack, u206c????????????????????????????????????????.csLong String: Length: 105736
Contains functionality to call native functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_04B30DD6 NtQuerySystemInformation,2_2_04B30DD6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_04B30DA3 NtQuerySystemInformation,2_2_04B30DA3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_0084B9BE NtQuerySystemInformation,20_2_0084B9BE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_0084B84E NtQueryInformationProcess,20_2_0084B84E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_0084B983 NtQuerySystemInformation,20_2_0084B983
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_0084B82C NtQueryInformationProcess,20_2_0084B82C
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait6_2_0040D1E8
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 0_2_00BC01400_2_00BC0140
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 0_2_00BC057E0_2_00BC057E
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 0_2_00BC03350_2_00BC0335
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 0_2_00BC03960_2_00BC0396
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 0_2_00BC01310_2_00BC0131
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 0_2_00BC02AF0_2_00BC02AF
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 0_2_00BC01850_2_00BC0185
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 0_2_00BC01A60_2_00BC01A6
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 0_2_00BC05070_2_00BC0507
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 0_2_00BC03200_2_00BC0320
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 0_2_00BC02230_2_00BC0223
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_02163A402_2_02163A40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021622602_2_02162260
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_02161A902_2_02161A90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_0216DE882_2_0216DE88
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_0216DAB02_2_0216DAB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_02162AD82_2_02162AD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_02168EF02_2_02168EF0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_02160B492_2_02160B49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_02160CE02_2_02160CE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021605002_2_02160500
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021625502_2_02162550
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_0216A1982_2_0216A198
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_0216AEB02_2_0216AEB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_0216C6A02_2_0216C6A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021696F02_2_021696F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021697282_2_02169728
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_02160F282_2_02160F28
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021647782_2_02164778
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021647882_2_02164788
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021657B02_2_021657B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021667A02_2_021667A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_02165BD82_2_02165BD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021657C02_2_021657C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_02165BC82_2_02165BC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021624182_2_02162418
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021654882_2_02165488
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_0216C0C02_2_0216C0C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021639302_2_02163930
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021691782_2_02169178
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_02165D792_2_02165D79
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021691882_2_02169188
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_0216A1882_2_0216A188
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021659B12_2_021659B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021651D12_2_021651D1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021659C02_2_021659C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021619E02_2_021619E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_021651E02_2_021651E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_075F00702_2_075F0070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_075F050C2_2_075F050C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_075F18C12_2_075F18C1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_075F02762_2_075F0276
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_075F02692_2_075F0269
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_075F003E2_2_075F003E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_075F02CB2_2_075F02CB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_075F19F32_2_075F19F3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_075F02A72_2_075F02A7
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_0040D1E86_2_0040D1E8
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 10_2_00F9014010_2_00F90140
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 10_2_00F9057E10_2_00F9057E
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 10_2_00F9013210_2_00F90132
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 10_2_00F9033510_2_00F90335
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 10_2_00F9039610_2_00F90396
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 10_2_00F902AF10_2_00F902AF
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 10_2_00F9032010_2_00F90320
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 10_2_00F9022310_2_00F90223
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 10_2_00F9018510_2_00F90185
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 10_2_00F9050710_2_00F90507
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 10_2_00F901A610_2_00F901A6
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 11_2_048F014011_2_048F0140
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 11_2_048F050911_2_048F0509
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 11_2_048F01A611_2_048F01A6
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 11_2_048F018511_2_048F0185
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 11_2_048F022311_2_048F0223
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 11_2_048F032011_2_048F0320
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 11_2_048F057E11_2_048F057E
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 11_2_048F039611_2_048F0396
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 11_2_048F013111_2_048F0131
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D0B4912_2_030D0B49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030DAB4012_2_030DAB40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D3A4012_2_030D3A40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D226012_2_030D2260
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D1A9012_2_030D1A90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D2AD812_2_030D2AD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D8EF012_2_030D8EF0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D050012_2_030D0500
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D0CE012_2_030D0CE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D972812_2_030D9728
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D0F2812_2_030D0F28
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030DAF3012_2_030DAF30
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030DC76812_2_030DC768
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D477812_2_030D4778
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D478812_2_030D4788
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D67A012_2_030D67A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D57B012_2_030D57B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D5BC812_2_030D5BC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D57C012_2_030D57C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D5BD812_2_030D5BD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D96F012_2_030D96F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D5D3812_2_030D5D38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D393012_2_030D3930
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D917812_2_030D9178
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D918812_2_030D9188
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030DC18812_2_030DC188
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D59B112_2_030D59B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D59C012_2_030D59C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D19E012_2_030D19E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D51E012_2_030D51E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_030D51F912_2_030D51F9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_01320D9514_2_01320D95
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_0132070514_2_01320705
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_05040CE014_2_05040CE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_0504AB4014_2_0504AB40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_05040B4914_2_05040B49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_05043A4014_2_05043A40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_0504226014_2_05042260
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_05041A9014_2_05041A90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_05042AD814_2_05042AD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_05048EF014_2_05048EF0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_0504917814_2_05049178
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_05045D7914_2_05045D79
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_0504918814_2_05049188
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_050459B114_2_050459B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_050459C014_2_050459C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_050451D114_2_050451D1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_050439D314_2_050439D3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_050451E014_2_050451E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_0504682314_2_05046823
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_0504548814_2_05045488
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_0504972814_2_05049728
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_05040F2814_2_05040F28
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_0504477814_2_05044778
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_0504478814_2_05044788
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_050457B014_2_050457B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_050457C014_2_050457C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_05045BC814_2_05045BC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_0504BFC814_2_0504BFC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_05045BD814_2_05045BD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_05041A8214_2_05041A82
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 14_2_0504C6A014_2_0504C6A0
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 19_2_02D2014019_2_02D20140
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 19_2_02D2013319_2_02D20133
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 19_2_02D2039619_2_02D20396
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 19_2_02D2057E19_2_02D2057E
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 19_2_02D2022319_2_02D20223
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 19_2_02D201A619_2_02D201A6
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 19_2_02D2018519_2_02D20185
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 19_2_02D2050E19_2_02D2050E
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 19_2_02D2032D19_2_02D2032D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_02593A4020_2_02593A40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_0259226020_2_02592260
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_0259A26020_2_0259A260
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_02592AD820_2_02592AD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_02598EF020_2_02598EF0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_02591A9020_2_02591A90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_02590B4920_2_02590B49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_02590CE020_2_02590CE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_0259050020_2_02590500
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_0259969D20_2_0259969D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_0259477820_2_02594778
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_0259972820_2_02599728
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_02590F2820_2_02590F28
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_02595BD820_2_02595BD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_02595BC820_2_02595BC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_025957C020_2_025957C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_0259478820_2_02594788
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_025957B020_2_025957B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_025967A020_2_025967A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_0259548820_2_02595488
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_0259397920_2_02593979
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_02595D7920_2_02595D79
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_025951D120_2_025951D1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_025959C020_2_025959C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_025919E020_2_025919E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_025951E020_2_025951E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_025959B120_2_025959B1
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 22_2_0503014022_2_05030140
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 22_2_0503050722_2_05030507
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 22_2_0503022322_2_05030223
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 22_2_0503032022_2_05030320
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 22_2_0503013222_2_05030132
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 22_2_0503057E22_2_0503057E
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 22_2_0503018522_2_05030185
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 22_2_0503039622_2_05030396
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 22_2_050301A622_2_050301A6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD8EF024_2_02FD8EF0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD2AD824_2_02FD2AD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD1A9024_2_02FD1A90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FDA26024_2_02FDA260
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD226024_2_02FD2260
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD3A4024_2_02FD3A40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD0B4924_2_02FD0B49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD0CE024_2_02FD0CE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD050024_2_02FD0500
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD96F024_2_02FD96F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FDA25024_2_02FDA250
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD5BD824_2_02FD5BD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD5BC824_2_02FD5BC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD57C024_2_02FD57C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD57B024_2_02FD57B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD67A024_2_02FD67A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD478824_2_02FD4788
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD477824_2_02FD4778
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FDC76824_2_02FDC768
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD972824_2_02FD9728
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD0F2824_2_02FD0F28
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD548824_2_02FD5488
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD19E024_2_02FD19E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD51E024_2_02FD51E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD51D124_2_02FD51D1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD59C024_2_02FD59C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD59B124_2_02FD59B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD918824_2_02FD9188
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FDC18824_2_02FDC188
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD5D7924_2_02FD5D79
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD917824_2_02FD9178
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_02FD393024_2_02FD3930
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: String function: 00413956 appears 47 times
Sample file is different than original file name gathered from version infoShow sources
Source: DHL 2723 382830 RECIBO, PDF.EXE, 00000000.00000002.769747218.0000000004A30000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DHL 2723 382830 RECIBO, PDF.EXE
Source: DHL 2723 382830 RECIBO, PDF.EXE, 00000000.00000002.767021195.0000000000220000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIpFJ7nOQaI2qUdm.exe< vs DHL 2723 382830 RECIBO, PDF.EXE
Source: DHL 2723 382830 RECIBO, PDF.EXE, 00000000.00000002.769861577.0000000004A80000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DHL 2723 382830 RECIBO, PDF.EXE
Source: DHL 2723 382830 RECIBO, PDF.EXE, 00000000.00000002.769861577.0000000004A80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL 2723 382830 RECIBO, PDF.EXE
Source: DHL 2723 382830 RECIBO, PDF.EXE, 00000006.00000002.783314191.00000000032F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DHL 2723 382830 RECIBO, PDF.EXE
Source: DHL 2723 382830 RECIBO, PDF.EXE, 00000006.00000002.783314191.00000000032F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL 2723 382830 RECIBO, PDF.EXE
Source: DHL 2723 382830 RECIBO, PDF.EXE, 00000006.00000000.776221278.0000000000BF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIpFJ7nOQaI2qUdm.exe< vs DHL 2723 382830 RECIBO, PDF.EXE
Source: DHL 2723 382830 RECIBO, PDF.EXE, 00000006.00000002.781505915.0000000002EA0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DHL 2723 382830 RECIBO, PDF.EXE
Source: DHL 2723 382830 RECIBO, PDF.EXE, 0000000B.00000002.802294890.0000000004BA0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DHL 2723 382830 RECIBO, PDF.EXE
Source: DHL 2723 382830 RECIBO, PDF.EXE, 0000000B.00000002.802294890.0000000004BA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL 2723 382830 RECIBO, PDF.EXE
Source: DHL 2723 382830 RECIBO, PDF.EXE, 0000000B.00000002.801550823.0000000004AA0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DHL 2723 382830 RECIBO, PDF.EXE
Source: DHL 2723 382830 RECIBO, PDF.EXE, 0000000B.00000002.794988388.00000000001A0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIpFJ7nOQaI2qUdm.exe< vs DHL 2723 382830 RECIBO, PDF.EXE
Source: DHL 2723 382830 RECIBO, PDF.EXE, 0000000B.00000002.796727223.0000000000810000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs DHL 2723 382830 RECIBO, PDF.EXE
Source: DHL 2723 382830 RECIBO, PDF.EXEBinary or memory string: OriginalFilenameIpFJ7nOQaI2qUdm.exe< vs DHL 2723 382830 RECIBO, PDF.EXE
Yara signature matchShow sources
Source: 00000006.00000002.780021957.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000006.00000002.780021957.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 6.2.DHL 2723 382830 RECIBO, PDF.EXE.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.DHL 2723 382830 RECIBO, PDF.EXE.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 6.2.DHL 2723 382830 RECIBO, PDF.EXE.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.DHL 2723 382830 RECIBO, PDF.EXE.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@37/77@191/0
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 0_2_009AB46A AdjustTokenPrivileges,0_2_009AB46A
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 0_2_009AB433 AdjustTokenPrivileges,0_2_009AB433
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_0040EB33 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6_2_0040EB33
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 10_2_00ACB46A AdjustTokenPrivileges,10_2_00ACB46A
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 10_2_00ACB433 AdjustTokenPrivileges,10_2_00ACB433
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 11_2_0080B46A AdjustTokenPrivileges,11_2_0080B46A
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 11_2_0080B433 AdjustTokenPrivileges,11_2_0080B433
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 19_2_0129B46A AdjustTokenPrivileges,19_2_0129B46A
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 19_2_0129B433 AdjustTokenPrivileges,19_2_0129B433
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_0084B4FE AdjustTokenPrivileges,20_2_0084B4FE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_0084B4C7 AdjustTokenPrivileges,20_2_0084B4C7
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_00409AA0 GetModuleFileNameW,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,CloseHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,Process32NextW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CloseHandle,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,wcslen,?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z,??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CreateMutexA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,CloseHandle,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,6_2_00409AA0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_00409D73 FindResourceA,LoadResource,LockResource,SizeofResource,6_2_00409D73
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_004111A9 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,6_2_004111A9
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\DHL 2723 382830 RECIBO, PDF.EXE.logJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5060:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4220:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4404:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3700:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4480:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2872:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\OOgzKv
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-JF6WXJ
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_01
Creates temporary filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5E9E.tmpJump to behavior
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
PE file has an executable .text section and no other executable sectionShow sources
Source: DHL 2723 382830 RECIBO, PDF.EXEStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXESection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXESection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Reads ini filesShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample is known by AntivirusShow sources
Source: DHL 2723 382830 RECIBO, PDF.EXEVirustotal: Detection: 73%
Source: DHL 2723 382830 RECIBO, PDF.EXEReversingLabs: Detection: 83%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEFile read: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE 'C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe' /logtoconsole=false /logfile= /u 'C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tQVctBZDKZIa' /XML 'C:\Users\user\AppData\Local\Temp\tmp5E9E.tmp'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.exe
Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\remcos\remcos.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\remcos\remcos.exe C:\Users\user\AppData\Roaming\remcos\remcos.exe
Source: unknownProcess created: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE 'C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe' /logtoconsole=false /logfile= /u 'C:\Users\user\AppData\Roaming\remcos\remcos.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe' /logtoconsole=false /logfile= /u 'C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tQVctBZDKZIa' /XML 'C:\Users\user\AppData\Local\Temp\tmp7B7D.tmp'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\remcos\remcos.exe C:\Users\user\AppData\Roaming\remcos\remcos.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\remcos\remcos.exe 'C:\Users\user\AppData\Roaming\remcos\remcos.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe' /logtoconsole=false /logfile= /u 'C:\Users\user\AppData\Roaming\remcos\remcos.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\remcos\remcos.exe 'C:\Users\user\AppData\Roaming\remcos\remcos.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe' /logtoconsole=false /logfile= /u 'C:\Users\user\AppData\Roaming\remcos\remcos.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe' /logtoconsole=false /logfile= /u 'C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tQVctBZDKZIa' /XML 'C:\Users\user\AppData\Local\Temp\tmp5E9E.tmp'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess created: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess created: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE 'C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.exe' Jump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\remcos\remcos.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\remcos\remcos.exe C:\Users\user\AppData\Roaming\remcos\remcos.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe' /logtoconsole=false /logfile= /u 'C:\Users\user\AppData\Roaming\remcos\remcos.exe'Jump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe' /logtoconsole=false /logfile= /u 'C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.exe'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tQVctBZDKZIa' /XML 'C:\Users\user\AppData\Local\Temp\tmp7B7D.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess created: C:\Users\user\AppData\Roaming\remcos\remcos.exe C:\Users\user\AppData\Roaming\remcos\remcos.exe
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe' /logtoconsole=false /logfile= /u 'C:\Users\user\AppData\Roaming\remcos\remcos.exe'
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe' /logtoconsole=false /logfile= /u 'C:\Users\user\AppData\Roaming\remcos\remcos.exe'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: DHL 2723 382830 RECIBO, PDF.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: DHL 2723 382830 RECIBO, PDF.EXEStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: mscorrc.pdb source: InstallUtil.exe, 00000002.00000002.801607071.00000000045F0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.1463494021.0000000005560000.00000002.00000001.sdmp, InstallUtil.exe, 0000000E.00000002.806342764.0000000004E80000.00000002.00000001.sdmp, InstallUtil.exe, 00000014.00000002.833730498.0000000004A40000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.867165796.00000000053D0000.00000002.00000001.sdmp
Source: Binary string: C:\Users\Barez\Desktop\Cassandra\NewEngine\CoreFunctions - Private\CoreFunctions\obj\Debug\CoreFunctions.pdb source: InstallUtil.exe, 00000002.00000002.798927843.00000000026CE000.00000004.00000001.sdmp, InstallUtil.exe, 0000000E.00000002.804090554.0000000002EDC000.00000004.00000001.sdmp, InstallUtil.exe, 00000014.00000002.832136184.0000000002A9C000.00000004.00000001.sdmp, InstallUtil.exe, 00000018.00000002.864811239.000000000342C000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_004099CD LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,6_2_004099CD
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 0_2_00BC0394 push esp; ret 0_2_00BC0395
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_004139B0 push eax; ret 6_2_004139DE
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 10_2_00405E89 push cs; iretd 10_2_00405E8B
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 10_2_00402A96 push esp; ret 10_2_00402A97
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 10_2_00F90394 push esp; ret 10_2_00F90395
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_057C2A96 push esp; ret 12_2_057C2A97
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_057C5E89 push cs; iretd 12_2_057C5E8B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_015E8C38 push ebp; ret 12_2_015E8C39
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 12_2_015E8C2C push ecx; ret 12_2_015E8C2D
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 19_2_00AB5E89 push cs; iretd 19_2_00AB5E8B
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 19_2_00AB2A96 push esp; ret 19_2_00AB2A97
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 19_2_02D20394 push esp; ret 19_2_02D20395
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_04C85E89 push cs; iretd 20_2_04C85E8B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 20_2_04C82A96 push esp; ret 20_2_04C82A97
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 22_2_00895E89 push cs; iretd 22_2_00895E8B
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeCode function: 22_2_00892A96 push esp; ret 22_2_00892A97
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_055C2A96 push esp; ret 24_2_055C2A97
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 24_2_055C5E89 push cs; iretd 24_2_055C5E8B

Persistence and Installation Behavior:

barindex
Contains functionality to download and launch executablesShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_0040D427 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,6_2_0040D427
Drops PE filesShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEFile created: C:\Users\user\AppData\Roaming\remcos\remcos.exeJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\tQVctBZDKZIa.exeJump to dropped file
Creates install or setup log fileShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\installutil.exe.logJump to behavior

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tQVctBZDKZIa' /XML 'C:\Users\user\AppData\Local\Temp\tmp5E9E.tmp'
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_004111A9 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,6_2_004111A9
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXERegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run remcosJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXERegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run remcosJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_004099CD LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,6_2_004099CD
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3Show sources
Source: Yara matchFile source: 00000018.00000002.864511872.00000000033A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.803556526.0000000002E50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000C.00000002.1461211614.0000000003530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.797299976.00000000025C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.831904045.0000000002A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 484, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2072, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4844, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4484, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3240, type: MEMORY
Yara detected Cassandra CrypterShow sources
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 484, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2072, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4844, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4484, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: InstallUtil.exe, 00000002.00000002.797299976.00000000025C0000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.1461211614.0000000003530000.00000004.00000001.sdmp, InstallUtil.exe, 0000000E.00000002.803556526.0000000002E50000.00000004.00000001.sdmp, InstallUtil.exe, 00000014.00000002.831904045.0000000002A10000.00000004.00000001.sdmp, InstallUtil.exe, 00000018.00000002.864511872.00000000033A0000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: InstallUtil.exe, 00000002.00000002.797299976.00000000025C0000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.1461211614.0000000003530000.00000004.00000001.sdmp, InstallUtil.exe, 0000000E.00000002.803556526.0000000002E50000.00000004.00000001.sdmp, InstallUtil.exe, 00000014.00000002.831904045.0000000002A10000.00000004.00000001.sdmp, InstallUtil.exe, 00000018.00000002.864511872.00000000033A0000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,6_2_00410E72
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeThread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeThread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeThread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEAPI coverage: 6.3 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE TID: 4116Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 4512Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exe TID: 4492Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE TID: 3720Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 824Thread sleep count: 254 > 30
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 824Thread sleep time: -254000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 1428Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exe TID: 820Thread sleep count: 266 > 30
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exe TID: 820Thread sleep time: -2660000s >= -30000s
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exe TID: 4920Thread sleep count: 50 > 30
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exe TID: 4920Thread sleep time: -30000000s >= -30000s
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exe TID: 4920Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exe TID: 2948Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 2428Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exe TID: 3700Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe TID: 4808Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeLast function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)Show sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_0040504A GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040506Fh6_2_0040504A
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_0040504A GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040506Fh6_2_0040504A
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_0040740F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,6_2_0040740F
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_004104E0 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr6_2_004104E0
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_00407183 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,6_2_00407183
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_00404648 _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,#23,#4,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_s6_2_00404648
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_004126D3 wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,6_2_004126D3
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_00404AD4 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,6_2_00404AD4
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_00403315 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,6_2_00403315
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_00403B9A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$cha6_2_00403B9A
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: InstallUtil.exe, 00000018.00000002.864511872.00000000033A0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II,SOFTWARE\Microsoft\Windows Defender\Features
Source: InstallUtil.exe, 00000018.00000002.864511872.00000000033A0000.00000004.00000001.sdmpBinary or memory string: vmware
Source: InstallUtil.exe, 00000018.00000002.864511872.00000000033A0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: InstallUtil.exe, 00000018.00000002.864511872.00000000033A0000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: InstallUtil.exe, 00000018.00000002.864511872.00000000033A0000.00000004.00000001.sdmpBinary or memory string: VMWARE
Source: InstallUtil.exe, 00000018.00000002.864511872.00000000033A0000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: InstallUtil.exe, 00000018.00000002.864511872.00000000033A0000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: InstallUtil.exe, 00000018.00000002.864511872.00000000033A0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
Source: InstallUtil.exe, 00000018.00000002.864511872.00000000033A0000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Queries a list of all running processesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_004099CD LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,6_2_004099CD
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess token adjusted: DebugJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess token adjusted: DebugJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess token adjusted: Debug
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory allocated: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE base: 400000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory allocated: C:\Users\user\AppData\Roaming\remcos\remcos.exe base: 400000 protect: page execute and read and write
Contains functionality to inject code into remote processesShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_0040F13D _EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,6_2_0040F13D
Injects a PE file into a foreign processesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory written: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory written: C:\Users\user\AppData\Roaming\remcos\remcos.exe base: 400000 value starts with: 4D5A
Writes to foreign memory regionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory written: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE base: 400000Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory written: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE base: 401000Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory written: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE base: 414000Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory written: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE base: 41A000Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory written: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE base: 41C000Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory written: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE base: 41D000Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory written: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE base: DA7008Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory written: C:\Users\user\AppData\Roaming\remcos\remcos.exe base: 400000
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory written: C:\Users\user\AppData\Roaming\remcos\remcos.exe base: 401000
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory written: C:\Users\user\AppData\Roaming\remcos\remcos.exe base: 414000
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory written: C:\Users\user\AppData\Roaming\remcos\remcos.exe base: 41A000
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory written: C:\Users\user\AppData\Roaming\remcos\remcos.exe base: 41C000
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory written: C:\Users\user\AppData\Roaming\remcos\remcos.exe base: 41D000
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeMemory written: C:\Users\user\AppData\Roaming\remcos\remcos.exe base: 796008
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)Show sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, \svchost.exe6_2_0040A64B
Contains functionality to simulate mouse eventsShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_0040FC80 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,mouse_event,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,6_2_0040FC80
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe' /logtoconsole=false /logfile= /u 'C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tQVctBZDKZIa' /XML 'C:\Users\user\AppData\Local\Temp\tmp5E9E.tmp'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess created: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess created: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXE 'C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.exe' Jump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\remcos\remcos.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\remcos\remcos.exe C:\Users\user\AppData\Roaming\remcos\remcos.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe' /logtoconsole=false /logfile= /u 'C:\Users\user\AppData\Roaming\remcos\remcos.exe'Jump to behavior
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXEProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe' /logtoconsole=false /logfile= /u 'C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.exe'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tQVctBZDKZIa' /XML 'C:\Users\user\AppData\Local\Temp\tmp7B7D.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeProcess created: C:\Users\user\AppData\Roaming\remcos\remcos.exe C:\Users\user\AppData\Roaming\remcos\remcos.exe
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe' /logtoconsole=false /logfile= /u 'C:\Users\user\AppData\Roaming\remcos\remcos.exe'
Source: C:\Users\user\AppData\Roaming\remcos\remcos.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe' /logtoconsole=false /logfile= /u 'C:\Users\user\AppData\Roaming\remcos\remcos.exe'
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: InstallUtil.exe, 0000000C.00000002.1459253508.0000000001BA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 0000000C.00000002.1459253508.0000000001BA0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: InstallUtil.exe, 0000000C.00000002.1459253508.0000000001BA0000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: InstallUtil.exe, 0000000C.00000002.1459253508.0000000001BA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,6_2_00409EEE
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_00411F49 cpuid 6_2_00411F49
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll VolumeInformation
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\DHL 2723 382830 RECIBO, PDF.EXECode function: 6_2_0041000C _EH_prolog,GdiplusStartup,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,CreateDirectoryW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,Sleep,GetLocalTime,swprintf,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,Sleep,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,6_2_0041000C
Contains functionality to query the account / user nameShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeCode function: 2_2_04B3020A GetUserNameW,2_2_04B3020A
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

bar