Analysis Report AXZFXiJCj3

Overview

General Information

Sample Name: AXZFXiJCj3 (renamed file extension from none to exe)
Analysis ID: 317581
MD5: cb6a701436f1498897a3ee49564bcd8c
SHA1: f4097f6879b2d5ebf1590f83350b009828bd2aaa
SHA256: 292b5987d57317d8d4047a8b4dbae1fd2cbebf0fa3c89b7dcfa96b93c40e36b1

Most interesting Screenshot:

Detection

Emotet
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: AXZFXiJCj3.exe Metadefender: Detection: 45% Perma Link
Source: AXZFXiJCj3.exe ReversingLabs: Detection: 70%
Source: AXZFXiJCj3.exe Metadefender: Detection: 45% Perma Link
Source: AXZFXiJCj3.exe ReversingLabs: Detection: 70%
Machine Learning detection for sample
Source: AXZFXiJCj3.exe Joe Sandbox ML: detected
Source: AXZFXiJCj3.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD22C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam, 3_2_00FD22C0
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 3_2_00FD2680
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD1FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap, 3_2_00FD1FF0
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD22C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam, 3_2_00FD22C0
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 3_2_00FD2680
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD1FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap, 3_2_00FD1FF0
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03043A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 0_2_03043A20
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03043A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 0_2_03043A20
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 3_2_00FD3A20

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.5:49719 -> 190.202.229.74:80
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.5:49723 -> 118.69.11.81:7080
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49728 -> 70.39.251.94:8080
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.5:49734 -> 87.230.25.43:8080
Source: Traffic Snort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.5:49737 -> 94.23.62.116:8080
Source: Traffic Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.5:49719 -> 190.202.229.74:80
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.5:49723 -> 118.69.11.81:7080
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49728 -> 70.39.251.94:8080
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.5:49734 -> 87.230.25.43:8080
Source: Traffic Snort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.5:49737 -> 94.23.62.116:8080
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49723 -> 118.69.11.81:7080
Source: global traffic TCP traffic: 192.168.2.5:49728 -> 70.39.251.94:8080
Source: global traffic TCP traffic: 192.168.2.5:49734 -> 87.230.25.43:8080
Source: global traffic TCP traffic: 192.168.2.5:49737 -> 94.23.62.116:8080
Source: global traffic TCP traffic: 192.168.2.5:49723 -> 118.69.11.81:7080
Source: global traffic TCP traffic: 192.168.2.5:49728 -> 70.39.251.94:8080
Source: global traffic TCP traffic: 192.168.2.5:49734 -> 87.230.25.43:8080
Source: global traffic TCP traffic: 192.168.2.5:49737 -> 94.23.62.116:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 87.230.25.43 87.230.25.43
Source: Joe Sandbox View IP Address: 87.230.25.43 87.230.25.43
Source: Joe Sandbox View IP Address: 94.23.62.116 94.23.62.116
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
Source: Joe Sandbox View ASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: Joe Sandbox View ASN Name: CANTVServiciosVenezuelaVE CANTVServiciosVenezuelaVE
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.5:49719 -> 190.202.229.74:80
Source: global traffic TCP traffic: 192.168.2.5:49719 -> 190.202.229.74:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------f0w0JM1b6rSEaEm2User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4596Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------f0w0JM1b6rSEaEm2User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4596Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown HTTP traffic detected: POST /wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------f0w0JM1b6rSEaEm2User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4596Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------f0w0JM1b6rSEaEm2User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4596Cache-Control: no-cache
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp String found in binary or memory: http://118.69.11.81:7080/0jC3/
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp String found in binary or memory: http://118.69.11.81:7080/0jC3/shqos.dll.mui
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp String found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/
Source: hlink.exe, 00000003.00000003.324564616.0000000001155000.00000004.00000001.sdmp String found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/&
Source: hlink.exe, 00000003.00000003.324564616.0000000001155000.00000004.00000001.sdmp String found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/S
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp String found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp String found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/(
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp String found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/K
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp String found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/S
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/l
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ll
Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000004.00000002.503500592.000002DB0C580000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000009.00000002.306829909.00000275A3E13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.306404047.00000275A3E4B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000002.306856777.00000275A3E42000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000002.306856777.00000275A3E42000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.306432354.00000275A3E63000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.284520109.00000275A3E31000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.306829909.00000275A3E13000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.306518386.00000275A3E45000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.306518386.00000275A3E45000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.284520109.00000275A3E31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.306542156.00000275A3E3A000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000003.306404047.00000275A3E4B000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp String found in binary or memory: http://118.69.11.81:7080/0jC3/
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp String found in binary or memory: http://118.69.11.81:7080/0jC3/shqos.dll.mui
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp String found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/
Source: hlink.exe, 00000003.00000003.324564616.0000000001155000.00000004.00000001.sdmp String found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/&
Source: hlink.exe, 00000003.00000003.324564616.0000000001155000.00000004.00000001.sdmp String found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/S
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp String found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp String found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/(
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp String found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/K
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp String found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/S
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/l
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ll
Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000004.00000002.503500592.000002DB0C580000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000009.00000002.306829909.00000275A3E13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.306404047.00000275A3E4B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000002.306856777.00000275A3E42000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000002.306856777.00000275A3E42000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.306432354.00000275A3E63000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.284520109.00000275A3E31000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.306829909.00000275A3E13000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.306518386.00000275A3E45000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.306518386.00000275A3E45000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.284520109.00000275A3E31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.306542156.00000275A3E3A000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000003.306404047.00000275A3E4B000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000003.00000002.501702388.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.502007177.0000000000FD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.236042991.0000000003004000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.236006103.0000000002FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.236081390.0000000003041000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.501876677.0000000000F74000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.hlink.exe.fd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.AXZFXiJCj3.exe.3040000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 3_2_00FD2680
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 3_2_00FD2680

System Summary:

barindex
Creates files inside the system directory
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe File created: C:\Windows\SysWOW64\InputInjectionBroker\ Jump to behavior
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe File created: C:\Windows\SysWOW64\InputInjectionBroker\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe File deleted: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe File deleted: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03048330 0_2_03048330
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_030486F0 0_2_030486F0
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03047B30 0_2_03047B30
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03046860 0_2_03046860
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03044190 0_2_03044190
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_030441B7 0_2_030441B7
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_030442C9 0_2_030442C9
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03043CE0 0_2_03043CE0
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03043EE0 0_2_03043EE0
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC96CE 0_2_02FC96CE
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC9ECE 0_2_02FC9ECE
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FCA28E 0_2_02FCA28E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC5A7E 0_2_02FC5A7E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FD7669 0_2_02FD7669
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC5E67 0_2_02FC5E67
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC83FE 0_2_02FC83FE
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC587E 0_2_02FC587E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC5D55 0_2_02FC5D55
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC5D2E 0_2_02FC5D2E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03048330 0_2_03048330
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_030486F0 0_2_030486F0
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03047B30 0_2_03047B30
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03046860 0_2_03046860
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03044190 0_2_03044190
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_030441B7 0_2_030441B7
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_030442C9 0_2_030442C9
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03043CE0 0_2_03043CE0
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03043EE0 0_2_03043EE0
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC96CE 0_2_02FC96CE
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC9ECE 0_2_02FC9ECE
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FCA28E 0_2_02FCA28E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC5A7E 0_2_02FC5A7E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FD7669 0_2_02FD7669
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC5E67 0_2_02FC5E67
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC83FE 0_2_02FC83FE
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC587E 0_2_02FC587E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC5D55 0_2_02FC5D55
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC5D2E 0_2_02FC5D2E
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD86F0 3_2_00FD86F0
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD3CE0 3_2_00FD3CE0
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD3EE0 3_2_00FD3EE0
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD42C9 3_2_00FD42C9
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD41B7 3_2_00FD41B7
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD4190 3_2_00FD4190
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD6860 3_2_00FD6860
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD8330 3_2_00FD8330
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD7B30 3_2_00FD7B30
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00E1587E 3_2_00E1587E
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00E15D55 3_2_00E15D55
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00E15D2E 3_2_00E15D2E
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00E196CE 3_2_00E196CE
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00E19ECE 3_2_00E19ECE
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00E1A28E 3_2_00E1A28E
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00E15E67 3_2_00E15E67
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00E27669 3_2_00E27669
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00E15A7E 3_2_00E15A7E
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00E183FE 3_2_00E183FE
Sample file is different than original file name gathered from version info
Source: AXZFXiJCj3.exe, 00000000.00000002.236269154.0000000003260000.00000002.00000001.sdmp Binary or memory string: originalfilename vs AXZFXiJCj3.exe
Source: AXZFXiJCj3.exe, 00000000.00000002.236269154.0000000003260000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs AXZFXiJCj3.exe
Source: AXZFXiJCj3.exe, 00000000.00000002.236230649.0000000003200000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs AXZFXiJCj3.exe
Source: AXZFXiJCj3.exe, 00000000.00000002.236269154.0000000003260000.00000002.00000001.sdmp Binary or memory string: originalfilename vs AXZFXiJCj3.exe
Source: AXZFXiJCj3.exe, 00000000.00000002.236269154.0000000003260000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs AXZFXiJCj3.exe
Source: AXZFXiJCj3.exe, 00000000.00000002.236230649.0000000003200000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs AXZFXiJCj3.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winEXE@16/5@0/6
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle, 0_2_03048CA0
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle, 0_2_03048CA0
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD4FD0 Process32NextW,Process32FirstW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,FindCloseChangeNotification, 3_2_00FD4FD0
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD4FD0 Process32NextW,Process32FirstW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,FindCloseChangeNotification, 3_2_00FD4FD0
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03045390 ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap, 0_2_03045390
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03045390 ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap, 0_2_03045390
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4956:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4956:120:WilError_01
Source: AXZFXiJCj3.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: AXZFXiJCj3.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: AXZFXiJCj3.exe Metadefender: Detection: 45%
Source: AXZFXiJCj3.exe ReversingLabs: Detection: 70%
Source: AXZFXiJCj3.exe Metadefender: Detection: 45%
Source: AXZFXiJCj3.exe ReversingLabs: Detection: 70%
Source: unknown Process created: C:\Users\user\Desktop\AXZFXiJCj3.exe 'C:\Users\user\Desktop\AXZFXiJCj3.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown Process created: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Process created: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\AXZFXiJCj3.exe 'C:\Users\user\Desktop\AXZFXiJCj3.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown Process created: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Process created: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03001030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_03001030
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03001030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_03001030
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03046320 push ecx; mov dword ptr [esp], 00009128h 0_2_03046321
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03046220 push ecx; mov dword ptr [esp], 00004B50h 0_2_03046221
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03046240 push ecx; mov dword ptr [esp], 00008F23h 0_2_03046241
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03046140 push ecx; mov dword ptr [esp], 00004AF2h 0_2_03046141
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03046180 push ecx; mov dword ptr [esp], 0000D106h 0_2_03046181
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03046090 push ecx; mov dword ptr [esp], 0000BAD9h 0_2_03046091
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_030462A0 push ecx; mov dword ptr [esp], 0000BFAAh 0_2_030462A1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_030461B0 push ecx; mov dword ptr [esp], 000003A6h 0_2_030461B1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_030462D0 push ecx; mov dword ptr [esp], 00001969h 0_2_030462D1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_030461D0 push ecx; mov dword ptr [esp], 00004B56h 0_2_030461D1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_030460F0 push ecx; mov dword ptr [esp], 0000A172h 0_2_030460F1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7EBE push ecx; mov dword ptr [esp], 00009128h 0_2_02FC7EBF
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7E6E push ecx; mov dword ptr [esp], 00001969h 0_2_02FC7E6F
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7E3E push ecx; mov dword ptr [esp], 0000BFAAh 0_2_02FC7E3F
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FE3FD9 push ss; iretd 0_2_02FE3FDE
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FD8B8F push edi; iretd 0_2_02FD8BA1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7CDE push ecx; mov dword ptr [esp], 00004AF2h 0_2_02FC7CDF
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FE449C push ebx; iretd 0_2_02FE44AF
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FE449C push FFFFFF95h; iretd 0_2_02FE44F1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7C8E push ecx; mov dword ptr [esp], 0000A172h 0_2_02FC7C8F
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7C2E push ecx; mov dword ptr [esp], 0000BAD9h 0_2_02FC7C2F
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7DDE push ecx; mov dword ptr [esp], 00008F23h 0_2_02FC7DDF
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7DBE push ecx; mov dword ptr [esp], 00004B50h 0_2_02FC7DBF
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7D6E push ecx; mov dword ptr [esp], 00004B56h 0_2_02FC7D6F
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7D4E push ecx; mov dword ptr [esp], 000003A6h 0_2_02FC7D4F
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7D1E push ecx; mov dword ptr [esp], 0000D106h 0_2_02FC7D1F
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03046320 push ecx; mov dword ptr [esp], 00009128h 0_2_03046321
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03046220 push ecx; mov dword ptr [esp], 00004B50h 0_2_03046221
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03046240 push ecx; mov dword ptr [esp], 00008F23h 0_2_03046241
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03046140 push ecx; mov dword ptr [esp], 00004AF2h 0_2_03046141
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03046180 push ecx; mov dword ptr [esp], 0000D106h 0_2_03046181
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03046090 push ecx; mov dword ptr [esp], 0000BAD9h 0_2_03046091
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_030462A0 push ecx; mov dword ptr [esp], 0000BFAAh 0_2_030462A1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_030461B0 push ecx; mov dword ptr [esp], 000003A6h 0_2_030461B1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_030462D0 push ecx; mov dword ptr [esp], 00001969h 0_2_030462D1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_030461D0 push ecx; mov dword ptr [esp], 00004B56h 0_2_030461D1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_030460F0 push ecx; mov dword ptr [esp], 0000A172h 0_2_030460F1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7EBE push ecx; mov dword ptr [esp], 00009128h 0_2_02FC7EBF
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7E6E push ecx; mov dword ptr [esp], 00001969h 0_2_02FC7E6F
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7E3E push ecx; mov dword ptr [esp], 0000BFAAh 0_2_02FC7E3F
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FE3FD9 push ss; iretd 0_2_02FE3FDE
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FD8B8F push edi; iretd 0_2_02FD8BA1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7CDE push ecx; mov dword ptr [esp], 00004AF2h 0_2_02FC7CDF
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FE449C push ebx; iretd 0_2_02FE44AF
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FE449C push FFFFFF95h; iretd 0_2_02FE44F1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7C8E push ecx; mov dword ptr [esp], 0000A172h 0_2_02FC7C8F
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7C2E push ecx; mov dword ptr [esp], 0000BAD9h 0_2_02FC7C2F
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7DDE push ecx; mov dword ptr [esp], 00008F23h 0_2_02FC7DDF
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7DBE push ecx; mov dword ptr [esp], 00004B50h 0_2_02FC7DBF
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7D6E push ecx; mov dword ptr [esp], 00004B56h 0_2_02FC7D6F
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7D4E push ecx; mov dword ptr [esp], 000003A6h 0_2_02FC7D4F
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC7D1E push ecx; mov dword ptr [esp], 0000D106h 0_2_02FC7D1F
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD60F0 push ecx; mov dword ptr [esp], 0000A172h 3_2_00FD60F1
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD62D0 push ecx; mov dword ptr [esp], 00001969h 3_2_00FD62D1
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD61D0 push ecx; mov dword ptr [esp], 00004B56h 3_2_00FD61D1
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD61B0 push ecx; mov dword ptr [esp], 000003A6h 3_2_00FD61B1
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD62A0 push ecx; mov dword ptr [esp], 0000BFAAh 3_2_00FD62A1

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Executable created and started: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Jump to behavior
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Executable created and started: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe PE file moved: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Jump to behavior
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe PE file moved: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe File opened: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe File opened: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe:Zone.Identifier read attributes | delete Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap, 0_2_03045390
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap, 0_2_03045390
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6060 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6060 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03043A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 0_2_03043A20
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03043A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 0_2_03043A20
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 3_2_00FD3A20
Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000004.00000002.504082116.000002DB0C660000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000001.00000002.491247141.000002652D602000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: hlink.exe, 00000003.00000003.324534644.0000000002BB7000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.503963627.000002DB0C64B000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000004.00000002.501259513.000002DB06E29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@Af
Source: svchost.exe, 00000007.00000002.501267426.000002705DC68000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.501064177.0000020DC6A29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000004.00000002.504082116.000002DB0C660000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000001.00000002.491247141.000002652D602000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: hlink.exe, 00000003.00000003.324534644.0000000002BB7000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.503963627.000002DB0C64B000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000004.00000002.501259513.000002DB06E29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@Af
Source: svchost.exe, 00000007.00000002.501267426.000002705DC68000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.501064177.0000020DC6A29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03001030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_03001030
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03001030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_03001030
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03045140 mov eax, dword ptr fs:[00000030h] 0_2_03045140
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03044190 mov eax, dword ptr fs:[00000030h] 0_2_03044190
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC6CDE mov eax, dword ptr fs:[00000030h] 0_2_02FC6CDE
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC0456 mov eax, dword ptr fs:[00000030h] 0_2_02FC0456
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC095E mov eax, dword ptr fs:[00000030h] 0_2_02FC095E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC5D2E mov eax, dword ptr fs:[00000030h] 0_2_02FC5D2E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03001030 mov eax, dword ptr fs:[00000030h] 0_2_03001030
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03045140 mov eax, dword ptr fs:[00000030h] 0_2_03045140
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03044190 mov eax, dword ptr fs:[00000030h] 0_2_03044190
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC6CDE mov eax, dword ptr fs:[00000030h] 0_2_02FC6CDE
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC0456 mov eax, dword ptr fs:[00000030h] 0_2_02FC0456
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC095E mov eax, dword ptr fs:[00000030h] 0_2_02FC095E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_02FC5D2E mov eax, dword ptr fs:[00000030h] 0_2_02FC5D2E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03001030 mov eax, dword ptr fs:[00000030h] 0_2_03001030
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD4190 mov eax, dword ptr fs:[00000030h] 3_2_00FD4190
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD5140 mov eax, dword ptr fs:[00000030h] 3_2_00FD5140
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00E16CDE mov eax, dword ptr fs:[00000030h] 3_2_00E16CDE
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00E10456 mov eax, dword ptr fs:[00000030h] 3_2_00E10456
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00E1095E mov eax, dword ptr fs:[00000030h] 3_2_00E1095E
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00E15D2E mov eax, dword ptr fs:[00000030h] 3_2_00E15D2E
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00F71030 mov eax, dword ptr fs:[00000030h] 3_2_00F71030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03001030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_03001030
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe Code function: 0_2_03001030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_03001030
Source: hlink.exe, 00000003.00000002.502358553.00000000016F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: hlink.exe, 00000003.00000002.502358553.00000000016F0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: hlink.exe, 00000003.00000002.502358553.00000000016F0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: hlink.exe, 00000003.00000002.502358553.00000000016F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: hlink.exe, 00000003.00000002.502358553.00000000016F0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: hlink.exe, 00000003.00000002.502358553.00000000016F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: hlink.exe, 00000003.00000002.502358553.00000000016F0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: hlink.exe, 00000003.00000002.502358553.00000000016F0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: hlink.exe, 00000003.00000002.502358553.00000000016F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: hlink.exe, 00000003.00000002.502358553.00000000016F0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD5720 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo, 3_2_00FD5720
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Code function: 3_2_00FD5720 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo, 3_2_00FD5720
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000B.00000002.501011361.00000181C223D000.00000004.00000001.sdmp Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.500977549.00000181C2220000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.501011361.00000181C223D000.00000004.00000001.sdmp Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.500977549.00000181C2220000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000003.00000002.501702388.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.502007177.0000000000FD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.236042991.0000000003004000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.236006103.0000000002FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.236081390.0000000003041000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.501876677.0000000000F74000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.hlink.exe.fd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.AXZFXiJCj3.exe.3040000.1.unpack, type: UNPACKEDPE