Loading ...

Play interactive tourEdit tour

Windows Analysis Report 41609787.exe

Overview

General Information

Sample Name:41609787.exe
Analysis ID:452431
MD5:242fb5498503fdae24861ca26f762745
SHA1:e45e4180137ea7c9d81f127fac0af48cf3b4e8d7
SHA256:7984d85806d611e8d7e3ec5640186ebce9b1daccbd07a4bbda0fc6e0e5666299
Infos:

Most interesting Screenshot:

Detection

GuLoader Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Installs a global keyboard hook
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Process Tree

  • System is w10x64
  • 41609787.exe (PID: 4548 cmdline: 'C:\Users\user\Desktop\41609787.exe' MD5: 242FB5498503FDAE24861CA26F762745)
    • ieinstal.exe (PID: 2120 cmdline: 'C:\Users\user\Desktop\41609787.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • cmd.exe (PID: 4608 cmdline: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • reg.exe (PID: 5776 cmdline: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://smokeadmsend.online/loade"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://smokeadmsend.online/loade"}
      Multi AV Scanner detection for domain / URLShow sources
      Source: databasepropersonombrecomercialideasearchwords.servicesVirustotal: Detection: 11%Perma Link
      Yara detected Remcos RATShow sources
      Source: Yara matchFile source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, type: MEMORY
      Source: 41609787.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: unknownHTTPS traffic detected: 198.54.115.48:443 -> 192.168.2.3:49752 version: TLS 1.2

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: https://smokeadmsend.online/loade
      Source: global trafficTCP traffic: 192.168.2.3:49753 -> 186.169.69.166:2508
      Source: Joe Sandbox ViewASN Name: COLOMBIATELECOMUNICACIONESSAESPCO COLOMBIATELECOMUNICACIONESSAESPCO
      Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: unknownDNS traffic detected: queries for: smokeadmsend.online
      Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmpString found in binary or memory: https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.bin
      Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmpString found in binary or memory: https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.binwininet.dllMozilla/5.0
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
      Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
      Source: unknownHTTPS traffic detected: 198.54.115.48:443 -> 192.168.2.3:49752 version: TLS 1.2

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Installs a global keyboard hookShow sources
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\internet explorer\ieinstal.exe

      E-Banking Fraud:

      barindex
      Yara detected Remcos RATShow sources
      Source: Yara matchFile source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\41609787.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021107A1 NtSetInformationThread,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021013C1 NtWriteVirtualMemory,TerminateProcess,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02110176 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107E15 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02108607 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210720B NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210762B NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210825E NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02108677 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107A95 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210669A NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210829B NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210728B NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107EA3 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021076E5 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02108703 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107305 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02105F21 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02108324 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107F2C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107B2D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107381 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107FB3 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021083B7 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107BC0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021077EF NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210741B NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107801 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210843F NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210802F NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107C4F NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107879 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210749C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021070AF NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021084D1 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021080C7 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107CE5 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210711D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107903 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02103D32 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210813C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107529 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210794C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107D6B NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107191 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210799F NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107DB4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021081A7 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021075A9 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107DF5 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021081FF NtWriteVirtualMemory,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_03011587 LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_030116CC NtProtectVirtualMemory,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_0301156F LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_03011687 NtProtectVirtualMemory,NtProtectVirtualMemory,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_0301174E NtProtectVirtualMemory,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_030116D3 NtProtectVirtualMemory,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_030117D3 NtProtectVirtualMemory,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_030115E3 LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_004014F0
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210EB03
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021107A1
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021013C1
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02109130
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107E15
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02106A1F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210720B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101E3A
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101629
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210362A
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210222A
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210762B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101A2F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02104651
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02102259
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210825E
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02100E47
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107A95
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210169A
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210669A
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210829B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210728B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101AB7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107EA3
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02104AAD
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02100EDB
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021022DF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101EC4
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021046FB
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021076E5
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101715
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02108703
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107305
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02104730
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101B37
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101F3F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02105F21
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02108324
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107F2C
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107B2D
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210032F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02102359
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02100F79
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101F93
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210179F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107381
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101387
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107FB3
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021083B7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101BBD
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02109BD1
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107BC0
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02106BC7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101FF6
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021023EA
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02100FEF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021077EF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101819
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210741B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107801
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02104802
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210D404
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02106C0F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101C37
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02106C37
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210843F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210EC2A
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210802F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02103053
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02102043
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107C4F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02106472
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107879
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210107F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210146D
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101890
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210749C
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02104880
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021024A7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021064AF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021070AF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021084D1
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021080C7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021060CB
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02106CE1
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107CE5
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02104914
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101918
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210451B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210711D
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101503
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107903
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02103D32
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101934
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210813C
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107529
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210794C
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210B962
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107D6B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101591
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107191
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210699F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210799F
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02106D85
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107DB4
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02101DB7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210D5B8
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210F9A3
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021081A7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021075A9
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021055AB
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021019AF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021069D9
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021021DF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210B1C3
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02100DF1
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107DF5
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021081FF
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 27_2_0301136D
      Source: 41609787.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 41609787.exe, 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameImpennate7.exe vs 41609787.exe
      Source: 41609787.exeBinary or memory string: OriginalFilenameImpennate7.exe vs 41609787.exe
      Source: 41609787.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/2@3/2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Roaming\Runtime2021Jump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMutant created: \Sessions\1\BaseNamedObjects\RemcosLEG-0OFGX3
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5156:120:WilError_01
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Local\Temp\posekiggerneJump to behavior
      Source: 41609787.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\41609787.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\Desktop\41609787.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\41609787.exe 'C:\Users\user\Desktop\41609787.exe'
      Source: C:\Users\user\Desktop\41609787.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\41609787.exe'
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      Source: C:\Users\user\Desktop\41609787.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\41609787.exe'
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02061774 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02064205 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02062A05 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02061205 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02065A03 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02066214 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02064A13 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02063213 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02061A13 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02060218 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02063A24 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02062224 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02060A24 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02066A24 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02065225 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02064233 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02062A33 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02061233 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02065A33 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02064A44 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02063244 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02061A44 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02066244 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02060248 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02063A54 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02062254 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02066A54 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02065253 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02060A58 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02065A64 push edx; ret
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02064263 push edx; ret
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SPINTOSJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SPINTOSJump to behavior
      Source: C:\Users\user\Desktop\41609787.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021013C1 NtWriteVirtualMemory,TerminateProcess,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107E15 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210720B NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210222A
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210762B NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02104651
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02102259 TerminateProcess,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107A95 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210669A NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210728B NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107EA3 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021022DF
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021076E5 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107305 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02105F21 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107F2C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107B2D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210032F LdrInitializeThunk,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02102359
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107381 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107FB3 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107BC0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021023EA
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021077EF NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210741B NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107801 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107C4F NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107879 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210749C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021024A7
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021070AF NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107CE5 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210451B
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210711D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107903 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02103D32 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107529 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210794C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107D6B NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107191 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210799F NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107DB4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021075A9 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021021DF TerminateProcess,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02107DF5 NtWriteVirtualMemory,
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\41609787.exeRDTSC instruction interceptor: First address: 000000000210047C second address: 000000000210047C instructions:
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\41609787.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\41609787.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32MSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
      Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmp, ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32MSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=\OPTRNER.EXE\POSEKIGGERNESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSPINTOSHTTPS://SMOKEADMSEND.ONLINE/LOADER/1ARMADANAC1COPIA_YCUSOPUSF143.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\41609787.exeRDTSC instruction interceptor: First address: 000000000210047C second address: 000000000210047C instructions:
      Source: C:\Users\user\Desktop\41609787.exeRDTSC instruction interceptor: First address: 000000000210DA09 second address: 000000000210DA09 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add esi, 02h 0x00000006 mov word ptr [ebp+00000176h], ax 0x0000000d mov ax, word ptr [esi] 0x00000010 cmp ax, 0000h 0x00000014 mov ax, word ptr [ebp+00000176h] 0x0000001b jne 00007F5CC09CC9EFh 0x0000001d mov ebx, edx 0x0000001f shl edx, 05h 0x00000022 add edx, ebx 0x00000024 movzx ebx, byte ptr [esi] 0x00000027 add edx, ebx 0x00000029 xor edx, 19974490h 0x0000002f jmp 00007F5CC09CCA9Eh 0x00000031 pushad 0x00000032 mov edx, 0000000Dh 0x00000037 rdtsc
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021107A1 rdtsc
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeWindow / User API: threadDelayed 1353
      Source: C:\Users\user\Desktop\41609787.exeAPI coverage: 9.9 %
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 1936Thread sleep count: 1353 > 30
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeLast function: Thread delayed
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread sleep count: Count: 1353 delay: -5
      Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32Msi.dllPublishershell32advapi32TEMP=\optrner.exe\posekiggerneSoftware\Microsoft\Windows\CurrentVersion\RunSPINTOShttps://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
      Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32Msi.dllPublishershell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
      Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmp, ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

      Anti Debugging:

      barindex
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\41609787.exeThread information set: HideFromDebugger
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread information set: HideFromDebugger
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\41609787.exeProcess queried: DebugPort
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021107A1 rdtsc
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210A907 LdrInitializeThunk,
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210EB03 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210CE1B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_02105F21 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210943A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_0210D822 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\41609787.exeCode function: 0_2_021055AB mov eax, dword ptr fs:[00000030h]

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\41609787.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3000000
      Source: C:\Users\user\Desktop\41609787.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\41609787.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      Source: ieinstal.exe, 0000001B.00000002.726234403.0000000003800000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: ieinstal.exe, 0000001B.00000002.726234403.0000000003800000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: ieinstal.exe, 0000001B.00000002.726234403.0000000003800000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: xlogs201.dat.27.drBinary or memory string: [ Program Manager ]
      Source: ieinstal.exe, 0000001B.00000002.726234403.0000000003800000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation

      Stealing of Sensitive Information:

      barindex
      GuLoader behavior detectedShow sources
      Source: Initial fileSignature Results: GuLoader behavior
      Yara detected Remcos RATShow sources
      Source: Yara matchFile source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, type: MEMORY

      Remote Access Functionality: