Loading ...

Play interactive tourEdit tour

Windows Analysis Report 41609787.exe

Overview

General Information

Sample Name:41609787.exe
Analysis ID:452431
MD5:242fb5498503fdae24861ca26f762745
SHA1:e45e4180137ea7c9d81f127fac0af48cf3b4e8d7
SHA256:7984d85806d611e8d7e3ec5640186ebce9b1daccbd07a4bbda0fc6e0e5666299
Infos:

Most interesting Screenshot:

Detection

GuLoader Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Installs a global keyboard hook
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Process Tree

  • System is w10x64
  • 41609787.exe (PID: 4548 cmdline: 'C:\Users\user\Desktop\41609787.exe' MD5: 242FB5498503FDAE24861CA26F762745)
    • ieinstal.exe (PID: 2120 cmdline: 'C:\Users\user\Desktop\41609787.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • cmd.exe (PID: 4608 cmdline: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • reg.exe (PID: 5776 cmdline: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://smokeadmsend.online/loade"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://smokeadmsend.online/loade"}
      Multi AV Scanner detection for domain / URLShow sources
      Source: databasepropersonombrecomercialideasearchwords.servicesVirustotal: Detection: 11%Perma Link
      Yara detected Remcos RATShow sources
      Source: Yara matchFile source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, type: MEMORY
      Source: 41609787.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: unknownHTTPS traffic detected: 198.54.115.48:443 -> 192.168.2.3:49752 version: TLS 1.2

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: https://smokeadmsend.online/loade
      Source: global trafficTCP traffic: 192.168.2.3:49753 -> 186.169.69.166:2508
      Source: Joe Sandbox ViewASN Name: COLOMBIATELECOMUNICACIONESSAESPCO COLOMBIATELECOMUNICACIONESSAESPCO
      Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: unknownDNS traffic detected: queries for: smokeadmsend.online
      Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmpString found in binary or memory: https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.bin
      Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmpString found in binary or memory: https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.binwininet.dllMozilla/5.0
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
      Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
      Source: unknownHTTPS traffic detected: 198.54.115.48:443 -> 192.168.2.3:49752 version: TLS 1.2

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Installs a global keyboard hookShow sources
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior

      E-Banking Fraud:

      barindex
      Yara detected Remcos RATShow sources
      Source: Yara matchFile source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\41609787.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021107A1 NtSetInformationThread,0_2_021107A1
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021013C1 NtWriteVirtualMemory,TerminateProcess,0_2_021013C1
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02110176 NtProtectVirtualMemory,0_2_02110176
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107E15 NtWriteVirtualMemory,0_2_02107E15
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02108607 NtWriteVirtualMemory,0_2_02108607
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210720B NtWriteVirtualMemory,0_2_0210720B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210762B NtWriteVirtualMemory,0_2_0210762B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210825E NtWriteVirtualMemory,0_2_0210825E
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02108677 NtWriteVirtualMemory,0_2_02108677
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107A95 NtWriteVirtualMemory,0_2_02107A95
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210669A NtWriteVirtualMemory,LoadLibraryA,0_2_0210669A
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210829B NtWriteVirtualMemory,0_2_0210829B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210728B NtWriteVirtualMemory,0_2_0210728B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107EA3 NtWriteVirtualMemory,0_2_02107EA3
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021076E5 NtWriteVirtualMemory,0_2_021076E5
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02108703 NtWriteVirtualMemory,0_2_02108703
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107305 NtWriteVirtualMemory,0_2_02107305
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02105F21 NtWriteVirtualMemory,0_2_02105F21
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02108324 NtWriteVirtualMemory,0_2_02108324
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107F2C NtWriteVirtualMemory,0_2_02107F2C
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107B2D NtWriteVirtualMemory,0_2_02107B2D
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107381 NtWriteVirtualMemory,0_2_02107381
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107FB3 NtWriteVirtualMemory,0_2_02107FB3
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021083B7 NtWriteVirtualMemory,0_2_021083B7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107BC0 NtWriteVirtualMemory,0_2_02107BC0
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021077EF NtWriteVirtualMemory,0_2_021077EF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210741B NtWriteVirtualMemory,0_2_0210741B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107801 NtWriteVirtualMemory,0_2_02107801
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210843F NtWriteVirtualMemory,0_2_0210843F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210802F NtWriteVirtualMemory,0_2_0210802F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107C4F NtWriteVirtualMemory,0_2_02107C4F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107879 NtWriteVirtualMemory,0_2_02107879
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210749C NtWriteVirtualMemory,0_2_0210749C
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021070AF NtWriteVirtualMemory,0_2_021070AF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021084D1 NtWriteVirtualMemory,0_2_021084D1
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021080C7 NtWriteVirtualMemory,0_2_021080C7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107CE5 NtWriteVirtualMemory,0_2_02107CE5
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210711D NtWriteVirtualMemory,0_2_0210711D
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107903 NtWriteVirtualMemory,0_2_02107903
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02103D32 NtWriteVirtualMemory,0_2_02103D32
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210813C NtWriteVirtualMemory,0_2_0210813C
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107529 NtWriteVirtualMemory,0_2_02107529
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210794C NtWriteVirtualMemory,0_2_0210794C
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107D6B NtWriteVirtualMemory,0_2_02107D6B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107191 NtWriteVirtualMemory,0_2_02107191
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210799F NtWriteVirtualMemory,0_2_0210799F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107DB4 NtWriteVirtualMemory,0_2_02107DB4
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021081A7 NtWriteVirtualMemory,0_2_021081A7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021075A9 NtWriteVirtualMemory,0_2_021075A9
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107DF5 NtWriteVirtualMemory,0_2_02107DF5
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021081FF NtWriteVirtualMemory,0_2_021081FF
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_03011587 LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,27_2_03011587
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_030116CC NtProtectVirtualMemory,27_2_030116CC
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_0301156F LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,27_2_0301156F
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_03011687 NtProtectVirtualMemory,NtProtectVirtualMemory,27_2_03011687
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_0301174E NtProtectVirtualMemory,27_2_0301174E
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_030116D3 NtProtectVirtualMemory,27_2_030116D3
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_030117D3 NtProtectVirtualMemory,27_2_030117D3
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_030115E3 LdrInitializeThunk,NtProtectVirtualMemory,27_2_030115E3
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_004014F00_2_004014F0
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210EB030_2_0210EB03
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021107A10_2_021107A1
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021013C10_2_021013C1
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021091300_2_02109130
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107E150_2_02107E15
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02106A1F0_2_02106A1F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210720B0_2_0210720B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101E3A0_2_02101E3A
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021016290_2_02101629
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210362A0_2_0210362A
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210222A0_2_0210222A
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210762B0_2_0210762B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101A2F0_2_02101A2F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021046510_2_02104651
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021022590_2_02102259
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210825E0_2_0210825E
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02100E470_2_02100E47
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107A950_2_02107A95
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210169A0_2_0210169A
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210669A0_2_0210669A
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210829B0_2_0210829B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210728B0_2_0210728B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101AB70_2_02101AB7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107EA30_2_02107EA3
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02104AAD0_2_02104AAD
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02100EDB0_2_02100EDB
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021022DF0_2_021022DF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101EC40_2_02101EC4
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021046FB0_2_021046FB
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021076E50_2_021076E5
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021017150_2_02101715
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021087030_2_02108703
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021073050_2_02107305
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021047300_2_02104730
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101B370_2_02101B37
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101F3F0_2_02101F3F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02105F210_2_02105F21
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021083240_2_02108324
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107F2C0_2_02107F2C
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107B2D0_2_02107B2D
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210032F0_2_0210032F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021023590_2_02102359
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02100F790_2_02100F79
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101F930_2_02101F93
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210179F0_2_0210179F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021073810_2_02107381
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021013870_2_02101387
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107FB30_2_02107FB3
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021083B70_2_021083B7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101BBD0_2_02101BBD
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02109BD10_2_02109BD1
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107BC00_2_02107BC0
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02106BC70_2_02106BC7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101FF60_2_02101FF6
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021023EA0_2_021023EA
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02100FEF0_2_02100FEF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021077EF0_2_021077EF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021018190_2_02101819
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210741B0_2_0210741B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021078010_2_02107801
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021048020_2_02104802
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210D4040_2_0210D404
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02106C0F0_2_02106C0F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101C370_2_02101C37
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02106C370_2_02106C37
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210843F0_2_0210843F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210EC2A0_2_0210EC2A
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210802F0_2_0210802F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021030530_2_02103053
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021020430_2_02102043
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107C4F0_2_02107C4F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021064720_2_02106472
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021078790_2_02107879
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210107F0_2_0210107F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210146D0_2_0210146D
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021018900_2_02101890
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210749C0_2_0210749C
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021048800_2_02104880
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021024A70_2_021024A7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021064AF0_2_021064AF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021070AF0_2_021070AF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021084D10_2_021084D1
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021080C70_2_021080C7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021060CB0_2_021060CB
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02106CE10_2_02106CE1
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107CE50_2_02107CE5
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021049140_2_02104914
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021019180_2_02101918
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210451B0_2_0210451B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210711D0_2_0210711D
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021015030_2_02101503
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021079030_2_02107903
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02103D320_2_02103D32
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021019340_2_02101934
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210813C0_2_0210813C
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021075290_2_02107529
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210794C0_2_0210794C
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210B9620_2_0210B962
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107D6B0_2_02107D6B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021015910_2_02101591
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021071910_2_02107191
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210699F0_2_0210699F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210799F0_2_0210799F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02106D850_2_02106D85
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107DB40_2_02107DB4
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101DB70_2_02101DB7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210D5B80_2_0210D5B8
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210F9A30_2_0210F9A3
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021081A70_2_021081A7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021075A90_2_021075A9
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021055AB0_2_021055AB
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021019AF0_2_021019AF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021069D90_2_021069D9
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021021DF0_2_021021DF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210B1C30_2_0210B1C3
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02100DF10_2_02100DF1
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107DF50_2_02107DF5
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021081FF0_2_021081FF
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_0301136D27_2_0301136D
      Source: 41609787.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 41609787.exe, 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameImpennate7.exe vs 41609787.exe
      Source: 41609787.exeBinary or memory string: OriginalFilenameImpennate7.exe vs 41609787.exe
      Source: 41609787.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/2@3/2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Roaming\Runtime2021Jump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMutant created: \Sessions\1\BaseNamedObjects\RemcosLEG-0OFGX3
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5156:120:WilError_01
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Local\Temp\posekiggerneJump to behavior
      Source: 41609787.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\41609787.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\41609787.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\41609787.exe 'C:\Users\user\Desktop\41609787.exe'
      Source: C:\Users\user\Desktop\41609787.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\41609787.exe'
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      Source: C:\Users\user\Desktop\41609787.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\41609787.exe' Jump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fJump to behavior

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02061774 push edx; ret 0_2_020617A1
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02064205 push edx; ret 0_2_02064231
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02062A05 push edx; ret 0_2_02062A31
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02061205 push edx; ret 0_2_02061231
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02065A03 push edx; ret 0_2_02065A31
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02066214 push edx; ret 0_2_02066241
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02064A13 push edx; ret 0_2_02064A41
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02063213 push edx; ret 0_2_02063241
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02061A13 push edx; ret 0_2_02061A41
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02060218 push edx; ret 0_2_02060241
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02063A24 push edx; ret 0_2_02063A51
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02062224 push edx; ret 0_2_02062251
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02060A24 push edx; ret 0_2_02060A51
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02066A24 push edx; ret 0_2_02066A51
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02065225 push edx; ret 0_2_02065251
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02064233 push edx; ret 0_2_02064261
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02062A33 push edx; ret 0_2_02062A61
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02061233 push edx; ret 0_2_02061261
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02065A33 push edx; ret 0_2_02065A61
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02064A44 push edx; ret 0_2_02064A71
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02063244 push edx; ret 0_2_02063271
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02061A44 push edx; ret 0_2_02061A71
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02066244 push edx; ret 0_2_02066271
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02060248 push edx; ret 0_2_02060271
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02063A54 push edx; ret 0_2_02063A81
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02062254 push edx; ret 0_2_02062281
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02066A54 push edx; ret 0_2_02066A81
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02065253 push edx; ret 0_2_02065281
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02060A58 push edx; ret 0_2_02060A81
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02065A64 push edx; ret 0_2_02065A91
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02064263 push edx; ret 0_2_02064291
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SPINTOSJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SPINTOSJump to behavior
      Source: C:\Users\user\Desktop\41609787.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021013C1 NtWriteVirtualMemory,TerminateProcess,0_2_021013C1
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107E15 NtWriteVirtualMemory,0_2_02107E15
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210720B NtWriteVirtualMemory,0_2_0210720B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210222A 0_2_0210222A
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210762B NtWriteVirtualMemory,0_2_0210762B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02104651 0_2_02104651
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02102259 TerminateProcess,0_2_02102259
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107A95 NtWriteVirtualMemory,0_2_02107A95
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210669A NtWriteVirtualMemory,LoadLibraryA,0_2_0210669A
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210728B NtWriteVirtualMemory,0_2_0210728B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107EA3 NtWriteVirtualMemory,0_2_02107EA3
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021022DF 0_2_021022DF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021076E5 NtWriteVirtualMemory,0_2_021076E5
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107305 NtWriteVirtualMemory,0_2_02107305
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02105F21 NtWriteVirtualMemory,0_2_02105F21
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107F2C NtWriteVirtualMemory,0_2_02107F2C
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107B2D NtWriteVirtualMemory,0_2_02107B2D
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210032F LdrInitializeThunk,0_2_0210032F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02102359 0_2_02102359
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107381 NtWriteVirtualMemory,0_2_02107381
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107FB3 NtWriteVirtualMemory,0_2_02107FB3
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107BC0 NtWriteVirtualMemory,0_2_02107BC0
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021023EA 0_2_021023EA
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021077EF NtWriteVirtualMemory,0_2_021077EF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210741B NtWriteVirtualMemory,0_2_0210741B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107801 NtWriteVirtualMemory,0_2_02107801
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107C4F NtWriteVirtualMemory,0_2_02107C4F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107879 NtWriteVirtualMemory,0_2_02107879
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210749C NtWriteVirtualMemory,0_2_0210749C
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021024A7 0_2_021024A7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021070AF NtWriteVirtualMemory,0_2_021070AF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107CE5 NtWriteVirtualMemory,0_2_02107CE5
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210451B 0_2_0210451B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210711D NtWriteVirtualMemory,0_2_0210711D
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107903 NtWriteVirtualMemory,0_2_02107903
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02103D32 NtWriteVirtualMemory,0_2_02103D32
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107529 NtWriteVirtualMemory,0_2_02107529
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210794C NtWriteVirtualMemory,0_2_0210794C
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107D6B NtWriteVirtualMemory,0_2_02107D6B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107191 NtWriteVirtualMemory,0_2_02107191
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210799F NtWriteVirtualMemory,0_2_0210799F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107DB4 NtWriteVirtualMemory,0_2_02107DB4
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021075A9 NtWriteVirtualMemory,0_2_021075A9
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021021DF TerminateProcess,0_2_021021DF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107DF5 NtWriteVirtualMemory,0_2_02107DF5
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\41609787.exeRDTSC instruction interceptor: First address: 000000000210047C second address: 000000000210047C instructions:
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\41609787.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\41609787.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32MSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
      Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmp, ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32MSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=\OPTRNER.EXE\POSEKIGGERNESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSPINTOSHTTPS://SMOKEADMSEND.ONLINE/LOADER/1ARMADANAC1COPIA_YCUSOPUSF143.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\41609787.exeRDTSC instruction interceptor: First address: 000000000210047C second address: 000000000210047C instructions:
      Source: C:\Users\user\Desktop\41609787.exeRDTSC instruction interceptor: First address: 000000000210DA09 second address: 000000000210DA09 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add esi, 02h 0x00000006 mov word ptr [ebp+00000176h], ax 0x0000000d mov ax, word ptr [esi] 0x00000010 cmp ax, 0000h 0x00000014 mov ax, word ptr [ebp+00000176h] 0x0000001b jne 00007F5CC09CC9EFh 0x0000001d mov ebx, edx 0x0000001f shl edx, 05h 0x00000022 add edx, ebx 0x00000024 movzx ebx, byte ptr [esi] 0x00000027 add edx, ebx 0x00000029 xor edx, 19974490h 0x0000002f jmp 00007F5CC09CCA9Eh 0x00000031 pushad 0x00000032 mov edx, 0000000Dh 0x00000037 rdtsc
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021107A1 rdtsc 0_2_021107A1
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeWindow / User API: threadDelayed 1353Jump to behavior
      Source: C:\Users\user\Desktop\41609787.exeAPI coverage: 9.9 %
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 1936Thread sleep count: 1353 > 30Jump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeLast function: Thread delayed
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread sleep count: Count: 1353 delay: -5Jump to behavior
      Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32Msi.dllPublishershell32advapi32TEMP=\optrner.exe\posekiggerneSoftware\Microsoft\Windows\CurrentVersion\RunSPINTOShttps://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
      Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32Msi.dllPublishershell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
      Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmp, ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

      Anti Debugging: