Windows Analysis Report NWMEaRqF7s.exe

Overview

General Information

Sample Name: NWMEaRqF7s.exe
Analysis ID: 445260
MD5: 0ba53dbed762655999bd37a1d8bee9db
SHA1: 4566e7559e5c4287a25796ed622324a6b5b70e63
SHA256: 77ed3ca0af1fec8c76e4f77114090edec76040713e53f6682151b53d79f28c79
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Antivirus or Machine Learning detection for unpacked file
Connects to several IPs in different countries
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: NWMEaRqF7s.exe Avira: detected
Found malware configuration
Source: 3.2.dot3hc.exe.22d052e.3.unpack Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["192.158.216.73:80", "85.214.28.226:8080", "142.44.137.67:443", "162.241.242.173:8080", "85.152.162.105:80", "62.30.7.67:443", "78.24.219.147:8080", "74.120.55.163:80", "169.239.182.217:8080", "216.208.76.186:80", "95.213.236.64:8080", "200.114.213.233:8080", "104.131.44.150:8080", "70.121.172.89:80", "75.139.38.211:80", "185.94.252.104:443", "97.82.79.83:80", "103.86.49.11:8080", "79.98.24.39:8080", "83.169.36.251:8080", "188.219.31.12:80", "74.208.45.104:8080", "137.59.187.107:8080", "174.45.13.118:80", "194.187.133.160:443", "50.81.3.113:80", "201.173.217.124:443", "139.99.158.11:443", "173.62.217.22:443", "139.130.242.43:80", "190.160.53.126:80", "137.119.36.33:80", "209.141.54.221:8080", "24.179.13.119:80", "120.150.60.189:80", "107.5.122.110:80", "121.124.124.40:7080", "203.153.216.189:7080", "157.245.99.39:8080", "85.105.205.77:8080", "173.81.218.65:80", "110.145.77.103:80", "47.144.21.12:443", "95.179.229.244:8080", "187.161.206.24:80", "46.105.131.79:8080", "189.212.199.126:443", "168.235.67.138:7080", "24.137.76.62:80", "85.66.181.138:80", "200.41.121.90:80", "5.39.91.110:7080", "104.236.246.93:8080", "172.91.208.86:80", "99.224.14.125:80", "37.139.21.175:8080", "109.74.5.95:8080", "1.221.254.82:80", "61.19.246.238:443", "5.196.74.210:8080", "67.205.85.243:8080", "79.137.83.50:443", "94.200.114.161:80", "70.180.43.7:80", "190.55.181.54:443", "47.146.117.214:80", "89.205.113.80:80", "37.187.72.193:8080", "84.39.182.7:80", "104.131.11.150:443", "139.162.108.71:8080", "87.106.136.232:8080", "153.232.188.106:80", "37.70.8.161:80", "112.185.64.233:80", "87.106.139.101:8080", "94.23.237.171:443", "24.43.99.75:80", "203.117.253.142:80", "98.109.204.230:80", "93.147.212.206:80", "91.211.88.52:7080", "139.59.60.244:8080", "176.111.60.55:8080", "180.92.239.110:8080", "62.75.141.82:80", "174.102.48.180:443"]}
Multi AV Scanner detection for submitted file
Source: NWMEaRqF7s.exe Virustotal: Detection: 84% Perma Link
Source: NWMEaRqF7s.exe Metadefender: Detection: 68% Perma Link
Source: NWMEaRqF7s.exe ReversingLabs: Detection: 92%
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.dot3hc.exe.22d052e.3.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 1.2.NWMEaRqF7s.exe.5a052e.2.unpack Avira: Label: TR/Crypt.XPACK.Gen2

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_02301DEC CryptDecodeObjectEx, 3_2_02301DEC

Compliance:

barindex
Uses 32bit PE files
Source: NWMEaRqF7s.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_00410555 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 1_2_00410555
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_022528FB FindFirstFileW,FindNextFileW,FindClose, 1_2_022528FB
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_00410555 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 3_2_00410555
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_023028FB FindFirstFileW,FindNextFileW,FindClose, 3_2_023028FB

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 192.158.216.73:80
Source: Malware configuration extractor IPs: 85.214.28.226:8080
Source: Malware configuration extractor IPs: 142.44.137.67:443
Source: Malware configuration extractor IPs: 162.241.242.173:8080
Source: Malware configuration extractor IPs: 85.152.162.105:80
Source: Malware configuration extractor IPs: 62.30.7.67:443
Source: Malware configuration extractor IPs: 78.24.219.147:8080
Source: Malware configuration extractor IPs: 74.120.55.163:80
Source: Malware configuration extractor IPs: 169.239.182.217:8080
Source: Malware configuration extractor IPs: 216.208.76.186:80
Source: Malware configuration extractor IPs: 95.213.236.64:8080
Source: Malware configuration extractor IPs: 200.114.213.233:8080
Source: Malware configuration extractor IPs: 104.131.44.150:8080
Source: Malware configuration extractor IPs: 70.121.172.89:80
Source: Malware configuration extractor IPs: 75.139.38.211:80
Source: Malware configuration extractor IPs: 185.94.252.104:443
Source: Malware configuration extractor IPs: 97.82.79.83:80
Source: Malware configuration extractor IPs: 103.86.49.11:8080
Source: Malware configuration extractor IPs: 79.98.24.39:8080
Source: Malware configuration extractor IPs: 83.169.36.251:8080
Source: Malware configuration extractor IPs: 188.219.31.12:80
Source: Malware configuration extractor IPs: 74.208.45.104:8080
Source: Malware configuration extractor IPs: 137.59.187.107:8080
Source: Malware configuration extractor IPs: 174.45.13.118:80
Source: Malware configuration extractor IPs: 194.187.133.160:443
Source: Malware configuration extractor IPs: 50.81.3.113:80
Source: Malware configuration extractor IPs: 201.173.217.124:443
Source: Malware configuration extractor IPs: 139.99.158.11:443
Source: Malware configuration extractor IPs: 173.62.217.22:443
Source: Malware configuration extractor IPs: 139.130.242.43:80
Source: Malware configuration extractor IPs: 190.160.53.126:80
Source: Malware configuration extractor IPs: 137.119.36.33:80
Source: Malware configuration extractor IPs: 209.141.54.221:8080
Source: Malware configuration extractor IPs: 24.179.13.119:80
Source: Malware configuration extractor IPs: 120.150.60.189:80
Source: Malware configuration extractor IPs: 107.5.122.110:80
Source: Malware configuration extractor IPs: 121.124.124.40:7080
Source: Malware configuration extractor IPs: 203.153.216.189:7080
Source: Malware configuration extractor IPs: 157.245.99.39:8080
Source: Malware configuration extractor IPs: 85.105.205.77:8080
Source: Malware configuration extractor IPs: 173.81.218.65:80
Source: Malware configuration extractor IPs: 110.145.77.103:80
Source: Malware configuration extractor IPs: 47.144.21.12:443
Source: Malware configuration extractor IPs: 95.179.229.244:8080
Source: Malware configuration extractor IPs: 187.161.206.24:80
Source: Malware configuration extractor IPs: 46.105.131.79:8080
Source: Malware configuration extractor IPs: 189.212.199.126:443
Source: Malware configuration extractor IPs: 168.235.67.138:7080
Source: Malware configuration extractor IPs: 24.137.76.62:80
Source: Malware configuration extractor IPs: 85.66.181.138:80
Source: Malware configuration extractor IPs: 200.41.121.90:80
Source: Malware configuration extractor IPs: 5.39.91.110:7080
Source: Malware configuration extractor IPs: 104.236.246.93:8080
Source: Malware configuration extractor IPs: 172.91.208.86:80
Source: Malware configuration extractor IPs: 99.224.14.125:80
Source: Malware configuration extractor IPs: 37.139.21.175:8080
Source: Malware configuration extractor IPs: 109.74.5.95:8080
Source: Malware configuration extractor IPs: 1.221.254.82:80
Source: Malware configuration extractor IPs: 61.19.246.238:443
Source: Malware configuration extractor IPs: 5.196.74.210:8080
Source: Malware configuration extractor IPs: 67.205.85.243:8080
Source: Malware configuration extractor IPs: 79.137.83.50:443
Source: Malware configuration extractor IPs: 94.200.114.161:80
Source: Malware configuration extractor IPs: 70.180.43.7:80
Source: Malware configuration extractor IPs: 190.55.181.54:443
Source: Malware configuration extractor IPs: 47.146.117.214:80
Source: Malware configuration extractor IPs: 89.205.113.80:80
Source: Malware configuration extractor IPs: 37.187.72.193:8080
Source: Malware configuration extractor IPs: 84.39.182.7:80
Source: Malware configuration extractor IPs: 104.131.11.150:443
Source: Malware configuration extractor IPs: 139.162.108.71:8080
Source: Malware configuration extractor IPs: 87.106.136.232:8080
Source: Malware configuration extractor IPs: 153.232.188.106:80
Source: Malware configuration extractor IPs: 37.70.8.161:80
Source: Malware configuration extractor IPs: 112.185.64.233:80
Source: Malware configuration extractor IPs: 87.106.139.101:8080
Source: Malware configuration extractor IPs: 94.23.237.171:443
Source: Malware configuration extractor IPs: 24.43.99.75:80
Source: Malware configuration extractor IPs: 203.117.253.142:80
Source: Malware configuration extractor IPs: 98.109.204.230:80
Source: Malware configuration extractor IPs: 93.147.212.206:80
Source: Malware configuration extractor IPs: 91.211.88.52:7080
Source: Malware configuration extractor IPs: 139.59.60.244:8080
Source: Malware configuration extractor IPs: 176.111.60.55:8080
Source: Malware configuration extractor IPs: 180.92.239.110:8080
Source: Malware configuration extractor IPs: 62.75.141.82:80
Source: Malware configuration extractor IPs: 174.102.48.180:443
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 30
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49730 -> 85.214.28.226:8080
Source: global traffic TCP traffic: 192.168.2.6:49732 -> 162.241.242.173:8080
Source: global traffic TCP traffic: 192.168.2.6:49760 -> 78.24.219.147:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 94.200.114.161 94.200.114.161
Source: Joe Sandbox View IP Address: 139.99.158.11 139.99.158.11
Source: Joe Sandbox View IP Address: 85.214.28.226 85.214.28.226
Source: Joe Sandbox View IP Address: 85.214.28.226 85.214.28.226
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ROGERS-COMMUNICATIONSCA ROGERS-COMMUNICATIONSCA
Source: Joe Sandbox View ASN Name: STARHUB-MOBILEStarHubLtdSG STARHUB-MOBILEStarHubLtdSG
Source: Joe Sandbox View ASN Name: DU-AS1AE DU-AS1AE
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/ HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------80lhrKDVYliktvcpjgmL9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 142.44.137.67:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.216.73
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.216.73
Source: unknown TCP traffic detected without corresponding DNS query: 192.158.216.73
Source: unknown TCP traffic detected without corresponding DNS query: 85.214.28.226
Source: unknown TCP traffic detected without corresponding DNS query: 85.214.28.226
Source: unknown TCP traffic detected without corresponding DNS query: 85.214.28.226
Source: unknown TCP traffic detected without corresponding DNS query: 142.44.137.67
Source: unknown TCP traffic detected without corresponding DNS query: 142.44.137.67
Source: unknown TCP traffic detected without corresponding DNS query: 142.44.137.67
Source: unknown TCP traffic detected without corresponding DNS query: 142.44.137.67
Source: unknown TCP traffic detected without corresponding DNS query: 142.44.137.67
Source: unknown TCP traffic detected without corresponding DNS query: 142.44.137.67
Source: unknown TCP traffic detected without corresponding DNS query: 142.44.137.67
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.242.173
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.242.173
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.242.173
Source: unknown TCP traffic detected without corresponding DNS query: 85.152.162.105
Source: unknown TCP traffic detected without corresponding DNS query: 85.152.162.105
Source: unknown TCP traffic detected without corresponding DNS query: 85.152.162.105
Source: unknown TCP traffic detected without corresponding DNS query: 62.30.7.67
Source: unknown TCP traffic detected without corresponding DNS query: 62.30.7.67
Source: unknown TCP traffic detected without corresponding DNS query: 62.30.7.67
Source: unknown TCP traffic detected without corresponding DNS query: 78.24.219.147
Source: unknown TCP traffic detected without corresponding DNS query: 78.24.219.147
Source: unknown TCP traffic detected without corresponding DNS query: 78.24.219.147
Source: svchost.exe, 0000000C.00000002.470826359.0000017DE74EC000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000C.00000002.470826359.0000017DE74EC000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000C.00000002.471604595.0000017DE7D15000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-07-07T08:53:08.3402540Z||.||e614b8f2-4086-47b8-a8db-bfa82598f22f||1152921505693648129||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000C.00000002.471604595.0000017DE7D15000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-07-07T08:53:08.3402540Z||.||e614b8f2-4086-47b8-a8db-bfa82598f22f||1152921505693648129||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: unknown HTTP traffic detected: POST /DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/ HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------80lhrKDVYliktvcpjgmL9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 142.44.137.67:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
Source: dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmp String found in binary or memory: http://142.44.137.67:443/DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/
Source: dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmp String found in binary or memory: http://142.44.137.67:443/DLgjaT02V4ZRh7a7A/wt8CBtC1NZfAQWkn/T
Source: dot3hc.exe, 00000003.00000002.617493690.00000000029F9000.00000004.00000001.sdmp String found in binary or memory: http://162.241.242.173:8080/nPONFQEvQO/m1R1pV6p0j201mdDM/V3kdX/
Source: dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmp String found in binary or memory: http://192.158.216.73/bw3A8vOSwPk/MUmkPxxvia/gp9rmo9BY/Aiyozum4do0I2sb158h/TZEWfRpLT/CpHNbkWtxKNiePn
Source: dot3hc.exe, 00000003.00000002.617493690.00000000029F9000.00000004.00000001.sdmp String found in binary or memory: http://78.24.219.147:8080/2VdcJgn3KtqNnFx/FoHxTH03XYaP/
Source: dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmp String found in binary or memory: http://78.24.219.147:8080/2VdcJgn3KtqNnFx/FoHxTH03XYaP/t
Source: dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmp String found in binary or memory: http://85.152.162.105/jIpQt16P2GWjQ5/wnzZKJ/DKZyC/
Source: svchost.exe, 0000000C.00000003.470057078.0000017DE7452000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 0000000C.00000002.471659904.0000017DE7D75000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRoo
Source: svchost.exe, 0000000C.00000003.470057078.0000017DE7452000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000012.00000002.617508051.0000017D2F811000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 0000000C.00000003.470057078.0000017DE7452000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 0000000C.00000003.470057078.0000017DE7452000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000012.00000002.617508051.0000017D2F811000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000012.00000002.617508051.0000017D2F811000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000012.00000002.616906100.0000017D2F6D0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 0000000C.00000003.449149844.0000017DE7DA0000.00000004.00000001.sdmp String found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000C.00000003.457543774.0000017DE7DAB000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: svchost.exe, 0000000C.00000003.450618925.0000017DE7D9E000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0040A094 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 1_2_0040A094
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_0040A094 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_0040A094

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 1.2.NWMEaRqF7s.exe.5a052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NWMEaRqF7s.exe.5a23ae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NWMEaRqF7s.exe.5a23ae.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.dot3hc.exe.22d052e.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.dot3hc.exe.22d052e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.dot3hc.exe.22d23ae.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.dot3hc.exe.22d23ae.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NWMEaRqF7s.exe.5a052e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.347473341.0000000002244000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.347079722.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.615027778.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.615086404.00000000022E4000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Creates files inside the system directory
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe File created: C:\Windows\SysWOW64\sqlcecompact40\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe File deleted: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0042F078 1_2_0042F078
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_00420268 1_2_00420268
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0042339B 1_2_0042339B
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0042C550 1_2_0042C550
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0042E5F4 1_2_0042E5F4
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_00428640 1_2_00428640
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0042063C 1_2_0042063C
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0042F73C 1_2_0042F73C
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0041E780 1_2_0041E780
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0043084D 1_2_0043084D
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0040B8F6 1_2_0040B8F6
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_00420A48 1_2_00420A48
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0042EB36 1_2_0042EB36
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_00427C19 1_2_00427C19
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0041FD95 1_2_0041FD95
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_00420E68 1_2_00420E68
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_02252AEA 1_2_02252AEA
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_02252C80 1_2_02252C80
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_0042F078 3_2_0042F078
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_00420268 3_2_00420268
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_0042339B 3_2_0042339B
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_0042C550 3_2_0042C550
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_0042E5F4 3_2_0042E5F4
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_00428640 3_2_00428640
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_0042063C 3_2_0042063C
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_0042F73C 3_2_0042F73C
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_0041E780 3_2_0041E780
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_0043084D 3_2_0043084D
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_0040B8F6 3_2_0040B8F6
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_00420A48 3_2_00420A48
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_0042EB36 3_2_0042EB36
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_00427C19 3_2_00427C19
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_0041FD95 3_2_0041FD95
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_00420E68 3_2_00420E68
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_02302AEA 3_2_02302AEA
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_02302C80 3_2_02302C80
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_022D4298 3_2_022D4298
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_022D442E 3_2_022D442E
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: String function: 004036EF appears 33 times
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: String function: 0041F71D appears 39 times
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: String function: 0041F6EA appears 140 times
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: String function: 00421418 appears 52 times
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: String function: 004036EF appears 33 times
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: String function: 0041F71D appears 39 times
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: String function: 0041F6EA appears 140 times
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: String function: 00421418 appears 52 times
PE file contains strange resources
Source: NWMEaRqF7s.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: NWMEaRqF7s.exe, 00000001.00000002.346994903.0000000000449000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamecmdcmxcfg.exe. vs NWMEaRqF7s.exe
Source: NWMEaRqF7s.exe, 00000001.00000002.348521498.0000000002E30000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs NWMEaRqF7s.exe
Source: NWMEaRqF7s.exe, 00000001.00000002.348726962.0000000002F20000.00000002.00000001.sdmp Binary or memory string: originalfilename vs NWMEaRqF7s.exe
Source: NWMEaRqF7s.exe, 00000001.00000002.348726962.0000000002F20000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs NWMEaRqF7s.exe
Source: NWMEaRqF7s.exe Binary or memory string: OriginalFilenamecmdcmxcfg.exe. vs NWMEaRqF7s.exe
Uses 32bit PE files
Source: NWMEaRqF7s.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: classification engine Classification label: mal88.troj.evad.winEXE@8/4@0/88
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_02303686 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification, 3_2_02303686
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0040638F __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3_catch,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource, 1_2_0040638F
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: NWMEaRqF7s.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: NWMEaRqF7s.exe Virustotal: Detection: 84%
Source: NWMEaRqF7s.exe Metadefender: Detection: 68%
Source: NWMEaRqF7s.exe ReversingLabs: Detection: 92%
Source: unknown Process created: C:\Users\user\Desktop\NWMEaRqF7s.exe 'C:\Users\user\Desktop\NWMEaRqF7s.exe'
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Process created: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Process created: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Jump to behavior
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Window detected: Number of UI elements: 11

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_00401D20 LoadLibraryW,GetProcAddress, 1_2_00401D20
PE file contains an invalid checksum
Source: NWMEaRqF7s.exe Static PE information: real checksum: 0x5d872 should be: 0x5cbf3
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0042145D push ecx; ret 1_2_00421470
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0041B69C push 59FFFE78h; ret 1_2_0041B6A5
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0041F7C2 push ecx; ret 1_2_0041F7D5
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_0042145D push ecx; ret 3_2_00421470
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_0041B69C push 59FFFE78h; ret 3_2_0041B6A5
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_0041F7C2 push ecx; ret 3_2_0041F7D5
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_022D974C push edx; ret 3_2_022D9761

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Executable created and started: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe PE file moved: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe File opened: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_00402130 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 1_2_00402130
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_004078B8 IsIconic,GetWindowPlacement,GetWindowRect, 1_2_004078B8
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_00402130 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 3_2_00402130
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_004078B8 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_004078B8
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe API coverage: 9.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 5976 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5976 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_00410555 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 1_2_00410555
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_022528FB FindFirstFileW,FindNextFileW,FindClose, 1_2_022528FB
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_00410555 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 3_2_00410555
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_023028FB FindFirstFileW,FindNextFileW,FindClose, 3_2_023028FB
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0041E654 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 1_2_0041E654
Source: svchost.exe, 00000012.00000002.614751987.0000017D2A02A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW ?
Source: dot3hc.exe, 00000003.00000002.617441030.00000000029E2000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW(Yd%SystemRoot%\system32\mswsock.dll~y
Source: svchost.exe, 00000005.00000002.373440622.00000241EBF40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.419273377.000001BBD3940000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.436429626.0000023111660000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.472258673.0000017DE8400000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000012.00000002.617796585.0000017D2F863000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: dot3hc.exe, 00000003.00000003.435481620.00000000029F9000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.470057078.0000017DE7452000.00000004.00000001.sdmp, svchost.exe, 00000012.00000002.617740212.0000017D2F857000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.373440622.00000241EBF40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.419273377.000001BBD3940000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.436429626.0000023111660000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.472258673.0000017DE8400000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000005.00000002.373440622.00000241EBF40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.419273377.000001BBD3940000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.436429626.0000023111660000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.472258673.0000017DE8400000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000005.00000002.373440622.00000241EBF40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.419273377.000001BBD3940000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.436429626.0000023111660000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.472258673.0000017DE8400000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0041E5DF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0041E5DF
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_00401D20 LoadLibraryW,GetProcAddress, 1_2_00401D20
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_022537AF mov eax, dword ptr fs:[00000030h] 1_2_022537AF
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_02252EC1 mov eax, dword ptr fs:[00000030h] 1_2_02252EC1
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_02241030 mov eax, dword ptr fs:[00000030h] 1_2_02241030
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_023037AF mov eax, dword ptr fs:[00000030h] 3_2_023037AF
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_02302EC1 mov eax, dword ptr fs:[00000030h] 3_2_02302EC1
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_022D095E mov eax, dword ptr fs:[00000030h] 3_2_022D095E
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_022D466F mov eax, dword ptr fs:[00000030h] 3_2_022D466F
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_022D4F5D mov eax, dword ptr fs:[00000030h] 3_2_022D4F5D
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_022D0456 mov eax, dword ptr fs:[00000030h] 3_2_022D0456
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_022E1030 mov eax, dword ptr fs:[00000030h] 3_2_022E1030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0041F4E5 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln, 1_2_0041F4E5
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0042936B __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0042936B
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0041E5DF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0041E5DF
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_004276D9 __decode_pointer,SetUnhandledExceptionFilter, 1_2_004276D9
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_004276B7 SetUnhandledExceptionFilter,__encode_pointer, 1_2_004276B7
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_00424D0A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00424D0A
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_0042936B __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0042936B
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_0041E5DF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0041E5DF
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_004276D9 __decode_pointer,SetUnhandledExceptionFilter, 3_2_004276D9
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_004276B7 SetUnhandledExceptionFilter,__encode_pointer, 3_2_004276B7
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: 3_2_00424D0A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00424D0A
Source: dot3hc.exe, 00000003.00000002.614889926.0000000000E00000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: dot3hc.exe, 00000003.00000002.614889926.0000000000E00000.00000002.00000001.sdmp Binary or memory string: Progman
Source: dot3hc.exe, 00000003.00000002.614889926.0000000000E00000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: dot3hc.exe, 00000003.00000002.614889926.0000000000E00000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0042C347 cpuid 1_2_0042C347
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 1_2_00403F0B
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 1_2_004313E8
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: GetLocaleInfoA, 1_2_0042BDB0
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 3_2_00403F0B
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 3_2_004313E8
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Code function: GetLocaleInfoA, 3_2_0042BDB0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\sqlcecompact40\dot3hc.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_004273AA GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 1_2_004273AA
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_0042B089 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 1_2_0042B089
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Code function: 1_2_00404142 __EH_prolog3,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,ConvertDefaultLocale,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,ConvertDefaultLocale,GetModuleFileNameA,GetVersion,RegOpenKeyExA,RegQueryValueExA,_sscanf,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,RegCloseKey,GetModuleHandleA,EnumResourceLanguagesA,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,_memset, 1_2_00404142
Source: C:\Users\user\Desktop\NWMEaRqF7s.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 1.2.NWMEaRqF7s.exe.5a052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NWMEaRqF7s.exe.5a23ae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NWMEaRqF7s.exe.5a23ae.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.dot3hc.exe.22d052e.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.dot3hc.exe.22d052e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.dot3hc.exe.22d23ae.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.dot3hc.exe.22d23ae.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NWMEaRqF7s.exe.5a052e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.347473341.0000000002244000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.347079722.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.615027778.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.615086404.00000000022E4000.00000004.00000001.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs