Analysis Report 23cf697d5faf11a3ffdd271e1d301173

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,		0_2_00402770
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,		0_2_00402770
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,		3_2_00402770
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_02172730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,		3_2_02172730
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_02172330 CryptGetHashParam,CryptExportKey,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptEncrypt,memcpy,GetProcessHeap,HeapFree,		3_2_02172330
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_02172010 memcpy,CryptDestroyHash,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDecrypt,CryptVerifySignatureW,GetProcessHeap,HeapFree,		3_2_02172010

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,		0_2_02633A10
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,		0_2_02633A10
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_02173A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,		3_2_02173A10

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.3:49709 -> 152.32.75.74:443
Source: Traffic	Snort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.3:49715 -> 91.121.200.35:8080
Source: Traffic	Snort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.3:49709 -> 152.32.75.74:443
Source: Traffic	Snort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.3:49715 -> 91.121.200.35:8080

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.3:49715 -> 91.121.200.35:8080
Source: global traffic	TCP traffic: 192.168.2.3:49715 -> 91.121.200.35:8080

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 152.32.75.74 152.32.75.74
Source: Joe Sandbox View	IP Address: 152.32.75.74 152.32.75.74
Source: Joe Sandbox View	IP Address: 91.121.200.35 91.121.200.35

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CONVERGE-ASConvergeICTSolutionsIncPH CONVERGE-ASConvergeICTSolutionsIncPH
Source: Joe Sandbox View	ASN Name: CONVERGE-ASConvergeICTSolutionsIncPH CONVERGE-ASConvergeICTSolutionsIncPH
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.3:49709 -> 152.32.75.74:443
Source: global traffic	TCP traffic: 192.168.2.3:49709 -> 152.32.75.74:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST /b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------D8UJrrwPxAUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4580Cache-Control: no-cache

Source: global traffic

HTTP traffic detected: POST /b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------D8UJrrwPxAUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4580Cache-Control: no-cache

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 152.32.75.74
Source: unknown	TCP traffic detected without corresponding DNS query: 152.32.75.74
Source: unknown	TCP traffic detected without corresponding DNS query: 152.32.75.74
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 152.32.75.74
Source: unknown	TCP traffic detected without corresponding DNS query: 152.32.75.74
Source: unknown	TCP traffic detected without corresponding DNS query: 152.32.75.74
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35

Contains functionality to download additional files from the internet

Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_02172A80 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,		3_2_02172A80
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_02172A80 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,		3_2_02172A80

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------D8UJrrwPxAUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4580Cache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------D8UJrrwPxAUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4580Cache-Control: no-cache

Urls found in memory or binary data

Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmp	String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/
Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmp	String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/#
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/2n
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ILE
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ata
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ste
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/
Source: dot3hc.exe, 00000003.00000002.484989127.00000000022DD000.00000004.00000001.sdmp	String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/-
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/5
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/D
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/s
Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000007.00000002.487810077.0000027E35490000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000C.00000002.308182111.000001A004213000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.comr
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.308238435.000001A00424E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.307787026.000001A004263000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.307821900.000001A004245000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.308182111.000001A004213000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.307821900.000001A004245000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000002.308238435.000001A00424E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmp	String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/
Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmp	String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/#
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/2n
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ILE
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ata
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ste
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/
Source: dot3hc.exe, 00000003.00000002.484989127.00000000022DD000.00000004.00000001.sdmp	String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/-
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/5
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/D
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/s
Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000007.00000002.487810077.0000027E35490000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000C.00000002.308182111.000001A004213000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.comr
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.308238435.000001A00424E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.307787026.000001A004263000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.307821900.000001A004245000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.308182111.000001A004213000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.307821900.000001A004245000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000002.308238435.000001A00424E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: dot3hc.exe, 00000003.00000002.483182974.000000000064A000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: dot3hc.exe, 00000003.00000002.483182974.000000000064A000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 00000003.00000002.484278022.0000000002171000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.220853815.0000000002631000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.220137105.0000000002120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.483728370.00000000020E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.220808157.00000000025E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.482905413.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.23cf697d5faf11a3ffdd271e1d301173.exe.2630000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dot3hc.exe.2170000.1.unpack, type: UNPACKEDPE

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_02172730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,		3_2_02172730
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_02172730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,		3_2_02172730

System Summary:

Creates files inside the system directory

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	File created: C:\Windows\SysWOW64\cleanmgr\			Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	File created: C:\Windows\SysWOW64\cleanmgr\			Jump to behavior

Deletes files inside the Windows folder

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	File deleted: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe:Zone.Identifier			Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	File deleted: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe:Zone.Identifier			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_004098D7		0_2_004098D7
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00408974		0_2_00408974
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02638180		0_2_02638180
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02631C70		0_2_02631C70
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02637590		0_2_02637590
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0212380E		0_2_0212380E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02129D1E		0_2_02129D1E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0212912E		0_2_0212912E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_004098D7		0_2_004098D7
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00408974		0_2_00408974
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02638180		0_2_02638180
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02631C70		0_2_02631C70
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02637590		0_2_02637590
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0212380E		0_2_0212380E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02129D1E		0_2_02129D1E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0212912E		0_2_0212912E
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_004098D7		3_2_004098D7
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_00408974		3_2_00408974
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_02178180		3_2_02178180
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_02171C70		3_2_02171C70
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_02177590		3_2_02177590

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: String function: 00408928 appears 53 times
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: String function: 00408928 appears 53 times
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: String function: 00408928 appears 53 times

Sample file is different than original file name gathered from version info

Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221221155.00000000029F0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 23cf697d5faf11a3ffdd271e1d301173.exe
Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221221155.00000000029F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 23cf697d5faf11a3ffdd271e1d301173.exe
Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221055432.00000000027E0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 23cf697d5faf11a3ffdd271e1d301173.exe
Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221221155.00000000029F0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 23cf697d5faf11a3ffdd271e1d301173.exe
Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221221155.00000000029F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 23cf697d5faf11a3ffdd271e1d301173.exe
Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221055432.00000000027E0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 23cf697d5faf11a3ffdd271e1d301173.exe

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Classification label

Source: classification engine

Classification label: mal68.troj.evad.winEXE@19/13@0/3

Contains functionality to create services

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,		0_2_02638730
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,		0_2_02638730

Contains functionality to enum processes or threads

Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_02174CA0 Process32NextW,Process32NextW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,FindCloseChangeNotification,		3_2_02174CA0
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_02174CA0 Process32NextW,Process32NextW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,FindCloseChangeNotification,		3_2_02174CA0

Contains functionality to modify services (start/stop/modify)

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635060 QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,		0_2_02635060
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635060 QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,		0_2_02635060

Creates files inside the user directory

Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\Local\Comms\UnistoreDB\tmp.edb			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\Local\Comms\UnistoreDB\tmp.edb			Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4660:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4660:120:WilError_01

PE file has an executable .text section and no other executable section

Source: 23cf697d5faf11a3ffdd271e1d301173.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 23cf697d5faf11a3ffdd271e1d301173.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	File read: C:\Users\desktop.ini			Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	File read: C:\Users\desktop.ini			Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

Reads the hosts file

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe 'C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown	Process created: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe C:\Windows\SysWOW64\cleanmgr\dot3hc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Process created: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe C:\Windows\SysWOW64\cleanmgr\dot3hc.exe			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable			Jump to behavior
Source: unknown	Process created: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe 'C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown	Process created: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe C:\Windows\SysWOW64\cleanmgr\dot3hc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Process created: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe C:\Windows\SysWOW64\cleanmgr\dot3hc.exe			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32			Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32			Jump to behavior

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,		0_2_00402770
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,		0_2_00402770

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00406030 push eax; ret		0_2_0040604E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00408963 push ecx; ret		0_2_00408973
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0040AB90 push eax; ret		0_2_0040ABA4
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0040AB90 push eax; ret		0_2_0040ABCC
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635E70 push ecx; mov dword ptr [esp], 00008D73h		0_2_02635E71
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635E40 push ecx; mov dword ptr [esp], 0000AEA2h		0_2_02635E41
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635EA0 push ecx; mov dword ptr [esp], 00007473h		0_2_02635EA1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635F70 push ecx; mov dword ptr [esp], 000084ADh		0_2_02635F71
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635F20 push ecx; mov dword ptr [esp], 0000E2ADh		0_2_02635F21
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635FB0 push ecx; mov dword ptr [esp], 0000460Eh		0_2_02635FB1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635D70 push ecx; mov dword ptr [esp], 00008067h		0_2_02635D71
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635D30 push ecx; mov dword ptr [esp], 00002C7Ch		0_2_02635D31
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635D00 push ecx; mov dword ptr [esp], 000021B4h		0_2_02635D01
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635DE0 push ecx; mov dword ptr [esp], 000025AAh		0_2_02635DE1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635DA0 push ecx; mov dword ptr [esp], 000036B8h		0_2_02635DA1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02127A0E push ecx; mov dword ptr [esp], 00008D73h		0_2_02127A0F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02127A3E push ecx; mov dword ptr [esp], 00007473h		0_2_02127A3F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02127ABE push ecx; mov dword ptr [esp], 0000E2ADh		0_2_02127ABF
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02127B0E push ecx; mov dword ptr [esp], 000084ADh		0_2_02127B0F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02127B4E push ecx; mov dword ptr [esp], 0000460Eh		0_2_02127B4F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0212789E push ecx; mov dword ptr [esp], 000021B4h		0_2_0212789F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_021278CE push ecx; mov dword ptr [esp], 00002C7Ch		0_2_021278CF
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0212790E push ecx; mov dword ptr [esp], 00008067h		0_2_0212790F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0212793E push ecx; mov dword ptr [esp], 000036B8h		0_2_0212793F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0212797E push ecx; mov dword ptr [esp], 000025AAh		0_2_0212797F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_021279DE push ecx; mov dword ptr [esp], 0000AEA2h		0_2_021279DF
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00406030 push eax; ret		0_2_0040604E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00408963 push ecx; ret		0_2_00408973
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0040AB90 push eax; ret		0_2_0040ABA4
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0040AB90 push eax; ret		0_2_0040ABCC
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635E70 push ecx; mov dword ptr [esp], 00008D73h		0_2_02635E71
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635E40 push ecx; mov dword ptr [esp], 0000AEA2h		0_2_02635E41
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635EA0 push ecx; mov dword ptr [esp], 00007473h		0_2_02635EA1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635F70 push ecx; mov dword ptr [esp], 000084ADh		0_2_02635F71
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635F20 push ecx; mov dword ptr [esp], 0000E2ADh		0_2_02635F21
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635FB0 push ecx; mov dword ptr [esp], 0000460Eh		0_2_02635FB1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635D70 push ecx; mov dword ptr [esp], 00008067h		0_2_02635D71
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635D30 push ecx; mov dword ptr [esp], 00002C7Ch		0_2_02635D31
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635D00 push ecx; mov dword ptr [esp], 000021B4h		0_2_02635D01
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635DE0 push ecx; mov dword ptr [esp], 000025AAh		0_2_02635DE1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02635DA0 push ecx; mov dword ptr [esp], 000036B8h		0_2_02635DA1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02127A0E push ecx; mov dword ptr [esp], 00008D73h		0_2_02127A0F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02127A3E push ecx; mov dword ptr [esp], 00007473h		0_2_02127A3F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02127ABE push ecx; mov dword ptr [esp], 0000E2ADh		0_2_02127ABF
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02127B0E push ecx; mov dword ptr [esp], 000084ADh		0_2_02127B0F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02127B4E push ecx; mov dword ptr [esp], 0000460Eh		0_2_02127B4F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0212789E push ecx; mov dword ptr [esp], 000021B4h		0_2_0212789F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_021278CE push ecx; mov dword ptr [esp], 00002C7Ch		0_2_021278CF
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0212790E push ecx; mov dword ptr [esp], 00008067h		0_2_0212790F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0212793E push ecx; mov dword ptr [esp], 000036B8h		0_2_0212793F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0212797E push ecx; mov dword ptr [esp], 000025AAh		0_2_0212797F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_021279DE push ecx; mov dword ptr [esp], 0000AEA2h		0_2_021279DF
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_00406030 push eax; ret		3_2_0040604E
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_00408963 push ecx; ret		3_2_00408973
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_0040AB90 push eax; ret		3_2_0040ABA4
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_0040AB90 push eax; ret		3_2_0040ABCC
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_02175E40 push ecx; mov dword ptr [esp], 0000AEA2h		3_2_02175E41

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Executable created and started: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe			Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Executable created and started: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe			Jump to behavior

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	PE file moved: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe			Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	PE file moved: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	File opened: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe:Zone.Identifier read attributes | delete			Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	File opened: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe:Zone.Identifier read attributes | delete			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,		0_2_02635060
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,		0_2_02635060

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6408	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6408	Thread sleep time: -30000s >= -30000s			Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe	File opened: PhysicalDrive0			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: PhysicalDrive0			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Checks the free space of harddrives

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,		0_2_02633A10
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,		0_2_02633A10
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_02173A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,		3_2_02173A10

Contains functionality to query system information

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0040D8AC VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,		0_2_0040D8AC
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0040D8AC VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,		0_2_0040D8AC

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000007.00000002.488474706.0000027E35662000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000006.00000002.481994541.000001F95C402000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.488445142.0000027E35655000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000007.00000002.483403302.0000027E2FE29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW]f5~
Source: svchost.exe, 00000006.00000002.482120336.000001F95C429000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.482526087.0000022005268000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.482223226.000002088D829000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000007.00000002.488474706.0000027E35662000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000006.00000002.481994541.000001F95C402000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.488445142.0000027E35655000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000007.00000002.483403302.0000027E2FE29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW]f5~
Source: svchost.exe, 00000006.00000002.482120336.000001F95C429000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.482526087.0000022005268000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.482223226.000002088D829000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Process information queried: ProcessInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Process information queried: ProcessInformation			Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,		0_2_00402770
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,		0_2_00402770

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,		0_2_00402770
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,		0_2_00402770

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02634E10 mov eax, dword ptr fs:[00000030h]		0_2_02634E10
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02633F70 mov eax, dword ptr fs:[00000030h]		0_2_02633F70
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02125B0E mov eax, dword ptr fs:[00000030h]		0_2_02125B0E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02120456 mov eax, dword ptr fs:[00000030h]		0_2_02120456
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0212095E mov eax, dword ptr fs:[00000030h]		0_2_0212095E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_021269AE mov eax, dword ptr fs:[00000030h]		0_2_021269AE
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_025E1030 mov eax, dword ptr fs:[00000030h]		0_2_025E1030
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02634E10 mov eax, dword ptr fs:[00000030h]		0_2_02634E10
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02633F70 mov eax, dword ptr fs:[00000030h]		0_2_02633F70
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02125B0E mov eax, dword ptr fs:[00000030h]		0_2_02125B0E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02120456 mov eax, dword ptr fs:[00000030h]		0_2_02120456
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0212095E mov eax, dword ptr fs:[00000030h]		0_2_0212095E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_021269AE mov eax, dword ptr fs:[00000030h]		0_2_021269AE
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_025E1030 mov eax, dword ptr fs:[00000030h]		0_2_025E1030
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_02174E10 mov eax, dword ptr fs:[00000030h]		3_2_02174E10
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_02173F70 mov eax, dword ptr fs:[00000030h]		3_2_02173F70
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_020E1030 mov eax, dword ptr fs:[00000030h]		3_2_020E1030

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,		0_2_02633A10
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,		0_2_02633A10

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00409FBA SetUnhandledExceptionFilter,		0_2_00409FBA
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00409FCE SetUnhandledExceptionFilter,		0_2_00409FCE
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00409FBA SetUnhandledExceptionFilter,		0_2_00409FBA
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00409FCE SetUnhandledExceptionFilter,		0_2_00409FCE
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_00409FBA SetUnhandledExceptionFilter,		3_2_00409FBA
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: 3_2_00409FCE SetUnhandledExceptionFilter,		3_2_00409FCE

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: GetLocaleInfoA,		0_2_0040CC72
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,		0_2_0040F81E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: GetLocaleInfoA,MultiByteToWideChar,		0_2_0040F8DA
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,		0_2_0040F94E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: _strlen,_strlen,EnumSystemLocalesA,		0_2_0040D1C8
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: _strlen,EnumSystemLocalesA,		0_2_0040D191
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: _strlen,EnumSystemLocalesA,		0_2_0040D24E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: GetLocaleInfoW,WideCharToMultiByte,		0_2_0040FA01
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: GetLocaleInfoA,		0_2_0040D6A0
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,		0_2_0040D2A3
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: GetLocaleInfoA,		0_2_0040CC72
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,		0_2_0040F81E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: GetLocaleInfoA,MultiByteToWideChar,		0_2_0040F8DA
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,		0_2_0040F94E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: _strlen,_strlen,EnumSystemLocalesA,		0_2_0040D1C8
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: _strlen,EnumSystemLocalesA,		0_2_0040D191
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: _strlen,EnumSystemLocalesA,		0_2_0040D24E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: GetLocaleInfoW,WideCharToMultiByte,		0_2_0040FA01
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: GetLocaleInfoA,		0_2_0040D6A0
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,		0_2_0040D2A3
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: GetLocaleInfoA,		3_2_0040CC72
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,		3_2_0040F81E
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: GetLocaleInfoA,MultiByteToWideChar,		3_2_0040F8DA
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,		3_2_0040F94E
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: _strlen,_strlen,EnumSystemLocalesA,		3_2_0040D1C8
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: _strlen,EnumSystemLocalesA,		3_2_0040D191
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: _strlen,EnumSystemLocalesA,		3_2_0040D24E
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: GetLocaleInfoW,WideCharToMultiByte,		3_2_0040FA01
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: GetLocaleInfoA,		3_2_0040D6A0
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,		3_2_0040D2A3

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\tmp.edb VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\tmp.edb VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Contains functionality to query local / system time

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0040B346 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,		0_2_0040B346
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_0040B346 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,		0_2_0040B346

Contains functionality to query windows version

Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00405A89 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,		0_2_00405A89
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe	Code function: 0_2_00405A89 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,		0_2_00405A89

Queries the cryptographic machine GUID

Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval			Jump to behavior

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 0000000E.00000002.482370944.0000015D08A40000.00000004.00000001.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.482473303.0000015D08B02000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.482370944.0000015D08A40000.00000004.00000001.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.482473303.0000015D08B02000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 00000003.00000002.484278022.0000000002171000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.220853815.0000000002631000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.220137105.0000000002120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.483728370.00000000020E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.220808157.00000000025E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.482905413.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.23cf697d5faf11a3ffdd271e1d301173.exe.2630000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dot3hc.exe.2170000.1.unpack, type: UNPACKEDPE