Loading ...

Play interactive tourEdit tour

Windows Analysis Report mU9H96igb3.exe

Overview

General Information

Sample Name:mU9H96igb3.exe
Analysis ID:1662
MD5:8777020a37b6797241a489a707b9784b
SHA1:a1ed1029b967295f9ce5e9d219f41dc6c7fc4d1a
SHA256:8a45d901cab57a1b65c32aea2452f56436dcf01c37bdf7875838e6054f395d90
Infos:

Most interesting Screenshot:

Detection

Remcos GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Antivirus / Scanner detection for submitted sample
Detected Remcos RAT
GuLoader behavior detected
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Installs a global keyboard hook
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect Any.run
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates an undocumented autostart registry key
Sigma detected: WScript or CScript Dropper
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • mU9H96igb3.exe (PID: 4448 cmdline: 'C:\Users\user\Desktop\mU9H96igb3.exe' MD5: 8777020A37B6797241A489A707B9784B)
    • mU9H96igb3.exe (PID: 6380 cmdline: 'C:\Users\user\Desktop\mU9H96igb3.exe' MD5: 8777020A37B6797241A489A707B9784B)
      • wscript.exe (PID: 512 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' MD5: 4D780D8F77047EE1C65F747D9F63A1FE)
        • cmd.exe (PID: 6504 cmdline: 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • Dlls.exe (PID: 2916 cmdline: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe MD5: 8777020A37B6797241A489A707B9784B)
            • Dlls.exe (PID: 7852 cmdline: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe MD5: 8777020A37B6797241A489A707B9784B)
  • Dlls.exe (PID: 2072 cmdline: 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' MD5: 8777020A37B6797241A489A707B9784B)
  • Dlls.exe (PID: 6216 cmdline: 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' MD5: 8777020A37B6797241A489A707B9784B)
    • Dlls.exe (PID: 3384 cmdline: 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' MD5: 8777020A37B6797241A489A707B9784B)
  • Dlls.exe (PID: 7300 cmdline: 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' MD5: 8777020A37B6797241A489A707B9784B)
    • Dlls.exe (PID: 4696 cmdline: 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' MD5: 8777020A37B6797241A489A707B9784B)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://implantecapilarpereira.com/NetGen"}

Threatname: Remcos

{"Host:Port:Password": "monitprradministratioran.loseyourip.com:24091:1", "Assigned name": "NetGeneration", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "Dlls.exe", "Startup value": "Chrome", "Hide file": "Enable", "Mutex": "Remcos-HCJBCA", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobes", "Keylog folder": "Adobes", "Keylog file max size": "20000"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.139080988334.00000000007BD000.00000004.00000020.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000009.00000002.137983792450.00000000009E7000.00000004.00000020.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000014.00000002.139080067245.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 11 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Suspicious Script Execution From Temp FolderShow sources
            Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\mU9H96igb3.exe' , ParentImage: C:\Users\user\Desktop\mU9H96igb3.exe, ParentProcessId: 6380, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , ProcessId: 512
            Sigma detected: WScript or CScript DropperShow sources
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\mU9H96igb3.exe' , ParentImage: C:\Users\user\Desktop\mU9H96igb3.exe, ParentProcessId: 6380, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , ProcessId: 512

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000014.00000002.139080988334.00000000007BD000.00000004.00000020.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "monitprradministratioran.loseyourip.com:24091:1", "Assigned name": "NetGeneration", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "Dlls.exe", "Startup value": "Chrome", "Hide file": "Enable", "Mutex": "Remcos-HCJBCA", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobes", "Keylog folder": "Adobes", "Keylog file max size": "20000"}
            Source: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://implantecapilarpereira.com/NetGen"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: mU9H96igb3.exeVirustotal: Detection: 32%Perma Link
            Source: mU9H96igb3.exeMetadefender: Detection: 25%Perma Link
            Source: mU9H96igb3.exeReversingLabs: Detection: 24%
            Yara detected Remcos RATShow sources
            Source: Yara matchFile source: 00000014.00000002.139080988334.00000000007BD000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.137983792450.00000000009E7000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.139148441525.000000000087B000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.139148381196.0000000000870000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.142216309015.00000000008EB000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: mU9H96igb3.exe PID: 6380, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Dlls.exe PID: 7852, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Dlls.exe PID: 3384, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Dlls.exe PID: 4696, type: MEMORYSTR
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: mU9H96igb3.exeAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeAvira: detection malicious, Label: TR/AD.Nekark.fexqx
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeMetadefender: Detection: 25%Perma Link
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeReversingLabs: Detection: 24%
            Source: 21.0.Dlls.exe.400000.0.unpackAvira: Label: TR/AD.Nekark.fexqx
            Source: 16.0.Dlls.exe.400000.0.unpackAvira: Label: TR/AD.Nekark.fexqx
            Source: 19.0.Dlls.exe.400000.0.unpackAvira: Label: TR/AD.Nekark.fexqx
            Source: 16.2.Dlls.exe.400000.0.unpackAvira: Label: TR/AD.Nekark.fexqx
            Source: 17.0.Dlls.exe.400000.0.unpackAvira: Label: TR/AD.Nekark.fexqx
            Source: 18.0.Dlls.exe.400000.0.unpackAvira: Label: TR/AD.Nekark.fexqx
            Source: 2.0.mU9H96igb3.exe.400000.0.unpackAvira: Label: TR/AD.Nekark.fexqx
            Source: 9.0.mU9H96igb3.exe.400000.0.unpackAvira: Label: TR/AD.Nekark.fexqx
            Source: 15.0.Dlls.exe.400000.0.unpackAvira: Label: TR/AD.Nekark.fexqx
            Source: 20.0.Dlls.exe.400000.0.unpackAvira: Label: TR/AD.Nekark.fexqx
            Source: mU9H96igb3.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

            Networking:

            barindex
            Connects to many ports of the same IP (likely port scanning)Show sources
            Source: global trafficTCP traffic: 8.6.8.23 ports 0,1,2,4,9,24091
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: http://implantecapilarpereira.com/NetGen
            Source: Malware configuration extractorURLs: monitprradministratioran.loseyourip.com
            Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
            Source: Joe Sandbox ViewASN Name: MASTER-ASCzechRepublicwwwmasterczCZ MASTER-ASCzechRepublicwwwmasterczCZ
            Source: global trafficHTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
            Source: global trafficTCP traffic: 192.168.11.20:49809 -> 8.6.8.23:24091
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080544159.0000000000758000.00000004.00000020.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139147980600.0000000000818000.00000004.00000020.sdmpString found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.bin
            Source: Dlls.exe, 00000014.00000002.139080944862.00000000007B4000.00000004.00000020.sdmpString found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binHR
            Source: mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080356064.00000000006B0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmpString found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binhttp://implantecapilarperei
            Source: Dlls.exe, 00000014.00000002.139080544159.0000000000758000.00000004.00000020.sdmp, Dlls.exe, 00000015.00000002.139147980600.0000000000818000.00000004.00000020.sdmpString found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binn
            Source: mU9H96igb3.exe, 00000009.00000002.137983749150.00000000009E0000.00000004.00000020.sdmpString found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.bint
            Source: mU9H96igb3.exe, 00000009.00000002.137983749150.00000000009E0000.00000004.00000020.sdmpString found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binx
            Source: unknownDNS traffic detected: queries for: implantecapilarpereira.com
            Source: global trafficHTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Installs a global keyboard hookShow sources
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Adobes\Dlls.exeJump to behavior

            E-Banking Fraud:

            barindex
            Yara detected Remcos RATShow sources
            Source: Yara matchFile source: 00000014.00000002.139080988334.00000000007BD000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.137983792450.00000000009E7000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.139148441525.000000000087B000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.139148381196.0000000000870000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.142216309015.00000000008EB000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: mU9H96igb3.exe PID: 6380, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Dlls.exe PID: 7852, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Dlls.exe PID: 3384, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Dlls.exe PID: 4696, type: MEMORYSTR

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: mU9H96igb3.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02BF4B8B2_2_02BF4B8B
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02C0474A2_2_02C0474A
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02BF087E2_2_02BF087E
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02BF557A2_2_02BF557A
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02BE4AA22_2_02BE4AA2
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02C01BCE2_2_02C01BCE
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02BF6BF62_2_02BF6BF6
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02C0130A2_2_02C0130A
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02BFECDD2_2_02BFECDD
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02BF00C62_2_02BF00C6
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02BFE4002_2_02BFE400
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02BF75742_2_02BF7574
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 9_2_0058474A9_2_0058474A
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 9_2_0057557A9_2_0057557A
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 9_2_00574B8B9_2_00574B8B
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 9_2_0057087E9_2_0057087E
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 9_2_0057E4009_2_0057E400
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 9_2_0057ECDD9_2_0057ECDD
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 9_2_005700C69_2_005700C6
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 9_2_005800B49_2_005800B4
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 9_2_00564AA29_2_00564AA2
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 9_2_005775749_2_00577574
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 9_2_0058130A9_2_0058130A
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 9_2_00581BCE9_2_00581BCE
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 9_2_00576BF69_2_00576BF6
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C24B8B15_2_02C24B8B
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C3474A15_2_02C3474A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C2087E15_2_02C2087E
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C2557A15_2_02C2557A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C14AA215_2_02C14AA2
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C31BCE15_2_02C31BCE
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C26BF615_2_02C26BF6
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C3130A15_2_02C3130A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C200C615_2_02C200C6
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C2ECDD15_2_02C2ECDD
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C2E40015_2_02C2E400
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C2757415_2_02C27574
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F6087E17_2_04F6087E
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F64B8B17_2_04F64B8B
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F6557A17_2_04F6557A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F7474A17_2_04F7474A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F6ECDD17_2_04F6ECDD
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F600C617_2_04F600C6
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F54AA217_2_04F54AA2
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F6E40017_2_04F6E400
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F66BF617_2_04F66BF6
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F71BCE17_2_04F71BCE
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F6757417_2_04F67574
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F7130A17_2_04F7130A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_0235087E18_2_0235087E
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_0235557A18_2_0235557A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_0236474A18_2_0236474A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_02354B8B18_2_02354B8B
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_0235E40018_2_0235E400
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_02344AA218_2_02344AA2
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_0235ECDD18_2_0235ECDD
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_023500C618_2_023500C6
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_0236130A18_2_0236130A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_0235757418_2_02357574
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_02356BF618_2_02356BF6
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_02361BCE18_2_02361BCE
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 20_2_0058474A20_2_0058474A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 20_2_0057557A20_2_0057557A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 20_2_00574B8B20_2_00574B8B
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 20_2_0057087E20_2_0057087E
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 20_2_0057E40020_2_0057E400
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 20_2_0057ECDD20_2_0057ECDD
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 20_2_005700C620_2_005700C6
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 20_2_005800B420_2_005800B4
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 20_2_00564AA220_2_00564AA2
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 20_2_0057757420_2_00577574
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 20_2_0058130A20_2_0058130A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 20_2_00581BCE20_2_00581BCE
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 20_2_00576BF620_2_00576BF6
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 21_2_0058474A21_2_0058474A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 21_2_0057557A21_2_0057557A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 21_2_00574B8B21_2_00574B8B
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 21_2_0057087E21_2_0057087E
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 21_2_0057E40021_2_0057E400
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 21_2_0057ECDD21_2_0057ECDD
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 21_2_005700C621_2_005700C6
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 21_2_005800B421_2_005800B4
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 21_2_00564AA221_2_00564AA2
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 21_2_0057757421_2_00577574
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 21_2_0058130A21_2_0058130A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 21_2_00581BCE21_2_00581BCE
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 21_2_00576BF621_2_00576BF6
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02C0474A NtSetInformationThread,2_2_02C0474A
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02C04084 NtProtectVirtualMemory,2_2_02C04084
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02BF087E NtWriteVirtualMemory,2_2_02BF087E
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02BF557A NtAllocateVirtualMemory,2_2_02BF557A
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02C0130A NtWriteVirtualMemory,2_2_02C0130A
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_02BF7574 NtWriteVirtualMemory,2_2_02BF7574
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 9_2_00586E0F NtProtectVirtualMemory,9_2_00586E0F
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 9_2_00584084 NtProtectVirtualMemory,9_2_00584084
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 9_2_00566970 NtProtectVirtualMemory,9_2_00566970
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 9_2_0057557A NtAllocateVirtualMemory,9_2_0057557A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C3474A NtSetContextThread,15_2_02C3474A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C34084 NtProtectVirtualMemory,15_2_02C34084
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C2087E NtWriteVirtualMemory,15_2_02C2087E
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C2557A NtAllocateVirtualMemory,15_2_02C2557A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C3130A NtWriteVirtualMemory,15_2_02C3130A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 15_2_02C27574 NtWriteVirtualMemory,15_2_02C27574
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F74084 NtProtectVirtualMemory,17_2_04F74084
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F6087E NtWriteVirtualMemory,17_2_04F6087E
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F6557A NtAllocateVirtualMemory,17_2_04F6557A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F7474A NtSetInformationThread,17_2_04F7474A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F67574 NtWriteVirtualMemory,17_2_04F67574
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 17_2_04F7130A NtWriteVirtualMemory,17_2_04F7130A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_0235087E NtWriteVirtualMemory,18_2_0235087E
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_02364084 NtProtectVirtualMemory,18_2_02364084
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_0235557A NtAllocateVirtualMemory,18_2_0235557A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_0236474A NtResumeThread,18_2_0236474A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_0236130A NtWriteVirtualMemory,18_2_0236130A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 18_2_02357574 NtWriteVirtualMemory,18_2_02357574
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 19_2_0058727E Sleep,NtProtectVirtualMemory,19_2_0058727E
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 19_2_00586E0F NtProtectVirtualMemory,19_2_00586E0F
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 19_2_00586CD1 NtProtectVirtualMemory,19_2_00586CD1
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 19_2_00586E17 NtProtectVirtualMemory,19_2_00586E17
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 19_2_005873EB NtProtectVirtualMemory,19_2_005873EB
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 19_2_00586CCC NtProtectVirtualMemory,19_2_00586CCC
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 19_2_005870C5 NtProtectVirtualMemory,19_2_005870C5
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 20_2_00586E0F NtProtectVirtualMemory,20_2_00586E0F
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 20_2_00584084 NtProtectVirtualMemory,20_2_00584084
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 20_2_00566970 NtProtectVirtualMemory,20_2_00566970
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 20_2_0057557A NtAllocateVirtualMemory,20_2_0057557A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 21_2_00586E0F NtProtectVirtualMemory,21_2_00586E0F
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 21_2_00584084 NtProtectVirtualMemory,21_2_00584084
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 21_2_00566970 NtProtectVirtualMemory,21_2_00566970
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeCode function: 21_2_0057557A NtAllocateVirtualMemory,21_2_0057557A
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\mU9H96igb3.exeProcess Stats: CPU usage > 98%
            Source: mU9H96igb3.exe, 00000002.00000000.137179026496.0000000000431000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePattes5.exe vs mU9H96igb3.exe
            Source: mU9H96igb3.exe, 00000009.00000000.137581988864.0000000000431000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePattes5.exe vs mU9H96igb3.exe
            Source: mU9H96igb3.exe, 00000009.00000002.137983891314.00000000009FC000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs mU9H96igb3.exe
            Source: mU9H96igb3.exe, 00000009.00000002.137983891314.00000000009FC000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs mU9H96igb3.exe
            Source: mU9H96igb3.exeBinary or memory string: OriginalFilenamePattes5.exe vs mU9H96igb3.exe
            Source: mU9H96igb3.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Dlls.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Users\user\Desktop\mU9H96igb3.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\Desktop\mU9H96igb3.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeSection loaded: edgegdi.dllJump to behavior
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 8A45D901CAB57A1B65C32AEA2452F56436DCF01C37BDF7875838E6054F395D90
            Source: mU9H96igb3.exeVirustotal: Detection: 32%
            Source: mU9H96igb3.exeMetadefender: Detection: 25%
            Source: mU9H96igb3.exeReversingLabs: Detection: 24%
            Source: C:\Users\user\Desktop\mU9H96igb3.exeFile read: C:\Users\user\Desktop\mU9H96igb3.exeJump to behavior
            Source: mU9H96igb3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\mU9H96igb3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\mU9H96igb3.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\mU9H96igb3.exe 'C:\Users\user\Desktop\mU9H96igb3.exe'
            Source: C:\Users\user\Desktop\mU9H96igb3.exeProcess created: C:\Users\user\Desktop\mU9H96igb3.exe 'C:\Users\user\Desktop\mU9H96igb3.exe'
            Source: C:\Users\user\Desktop\mU9H96igb3.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeProcess created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeProcess created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeProcess created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
            Source: C:\Users\user\Desktop\mU9H96igb3.exeProcess created: C:\Users\user\Desktop\mU9H96igb3.exe 'C:\Users\user\Desktop\mU9H96igb3.exe' Jump to behavior
            Source: C:\Users\user\Desktop\mU9H96igb3.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeProcess created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeProcess created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeProcess created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' Jump to behavior
            Source: C:\Users\user\Desktop\mU9H96igb3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\mU9H96igb3.exeFile created: C:\Users\user\AppData\Roaming\AdobesJump to behavior
            Source: C:\Users\user\Desktop\mU9H96igb3.exeFile created: C:\Users\user\AppData\Local\Temp\install.vbsJump to behavior
            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@19/4@2/2
            Source: C:\Users\user\Desktop\mU9H96igb3.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1344:304:WilStaging_02
            Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-HCJBCA
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1344:120:WilError_03
            Source: C:\Users\user\Desktop\mU9H96igb3.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.139080067245.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.139147557891.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_0041A474 push ebp; ret 2_2_0041A4CD
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_0040E9CB push ecx; retf 2_2_0040E9CC
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_004191F0 push ecx; ret 2_2_004191F1
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_004131A3 push ecx; ret 2_2_004132DD
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_004086CE push eax; retf 2_2_004086CF
            Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 2_2_00411ACE push ecx; ret