Loading ...

Play interactive tourEdit tour

Windows Analysis Report methodsnetsh.exe

Overview

General Information

Sample Name:methodsnetsh.exe
Analysis ID:450352
MD5:8e22080fe62e462723d231fe5c8ba98a
SHA1:8b58fd7bcd7083e5a326e7a04e10c0e0626ac4ca
SHA256:d082395ca1ce0c118edbff1e5bf1b1d4ad2db5aefa5691cc4c15bd94208a3cc0
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • methodsnetsh.exe (PID: 6032 cmdline: 'C:\Users\user\Desktop\methodsnetsh.exe' MD5: 8E22080FE62E462723D231FE5C8BA98A)
    • methodsnetsh.exe (PID: 5456 cmdline: --4a9ea48a MD5: 8E22080FE62E462723D231FE5C8BA98A)
  • svchost.exe (PID: 3412 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • sensorias.exe (PID: 5564 cmdline: C:\Windows\SysWOW64\sensorias.exe MD5: 8E22080FE62E462723D231FE5C8BA98A)
    • sensorias.exe (PID: 6036 cmdline: --606904f7 MD5: 8E22080FE62E462723D231FE5C8BA98A)
  • svchost.exe (PID: 6072 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5868 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5948 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5576 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2168 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 4168 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6096 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 4880 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 3596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 496 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.204962255.0000000000620000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.204962255.0000000000620000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 41 00 85 C0
    • 0x59a5:$snippet6: 33 C0 21 05 0C 3C 41 00 A3 08 3C 41 00 39 05 60 03 41 00 74 18 40 A3 08 3C 41 00 83 3C C5 60 03 ...
    00000000.00000002.204989867.00000000007D1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.204989867.00000000007D1000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 7E 00 85 C0
      • 0x5066:$snippet6: 33 C0 21 05 0C 3C 7E 00 A3 08 3C 7E 00 39 05 60 03 7E 00 74 18 40 A3 08 3C 7E 00 83 3C C5 60 03 ...
      00000006.00000002.224058115.0000000000AB0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.methodsnetsh.exe.6f053f.1.raw.unpackMAL_Emotet_Jan20_1Detects Emotet malwareFlorian Roth
        • 0x3177:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20
        • 0x315d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
        1.2.methodsnetsh.exe.6f053f.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          1.2.methodsnetsh.exe.6f053f.1.raw.unpackEmotetEmotet Payloadkevoreilly
          • 0x13ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 D8 1B 41 00 85 C0
          • 0x5466:$snippet6: 33 C0 21 05 0C 3C 41 00 A3 08 3C 41 00 39 05 60 03 41 00 74 18 40 A3 08 3C 41 00 83 3C C5 60 03 ...
          1.2.methodsnetsh.exe.6f053f.1.raw.unpackWin32_Trojan_EmotetunknownReversingLabs
          • 0xe52:$decrypt_resource_v1: 55 8B EC 83 EC 18 53 8B D9 8B C2 56 57 89 45 F0 8B 3B 33 F8 8B C7 89 7D EC 83 E0 03 75 05 8D 77 ...
          • 0xcfbf:$generate_filename_v1: 56 57 33 C0 BF 28 41 41 00 57 50 50 6A 1C 50 FF 15 A8 2B 41 00 BA 7E BC E6 47 B9 60 0D 41 00 E8 ...
          0.2.methodsnetsh.exe.62053f.1.raw.unpackMAL_Emotet_Jan20_1Detects Emotet malwareFlorian Roth
          • 0x3177:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20
          • 0x315d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
          Click to see the 23 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: methodsnetsh.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: methodsnetsh.exeVirustotal: Detection: 65%Perma Link
          Source: methodsnetsh.exeMetadefender: Detection: 56%Perma Link
          Source: methodsnetsh.exeReversingLabs: Detection: 86%
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,1_2_009D207B
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,1_2_009D1FFC
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D1F11 CryptExportKey,1_2_009D1F11
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,1_2_009D215A
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D1F56 CryptGetHashParam,1_2_009D1F56
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,1_2_009D1F75
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,7_2_00EC207B
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_00EC1FFC
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,7_2_00EC1F75
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC1F11 CryptExportKey,7_2_00EC1F11
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,7_2_00EC215A
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC1F56 CryptGetHashParam,7_2_00EC1F56
          Source: methodsnetsh.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0042A049 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,0_2_0042A049
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0042A18A lstrlenA,FindFirstFileA,FindClose,0_2_0042A18A
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0042A049 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,1_2_0042A049
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0042A18A lstrlenA,FindFirstFileA,FindClose,1_2_0042A18A
          Source: global trafficTCP traffic: 192.168.2.3:49744 -> 91.250.96.22:8080
          Source: Joe Sandbox ViewIP Address: 100.6.23.40 100.6.23.40
          Source: Joe Sandbox ViewIP Address: 100.6.23.40 100.6.23.40
          Source: global trafficTCP traffic: 192.168.2.3:49728 -> 100.6.23.40:80
          Source: global trafficTCP traffic: 192.168.2.3:49736 -> 200.71.200.4:443
          Source: global trafficTCP traffic: 192.168.2.3:49742 -> 190.114.244.182:443
          Source: unknownTCP traffic detected without corresponding DNS query: 100.6.23.40
          Source: unknownTCP traffic detected without corresponding DNS query: 100.6.23.40
          Source: unknownTCP traffic detected without corresponding DNS query: 100.6.23.40
          Source: unknownTCP traffic detected without corresponding DNS query: 200.71.200.4
          Source: unknownTCP traffic detected without corresponding DNS query: 200.71.200.4
          Source: unknownTCP traffic detected without corresponding DNS query: 200.71.200.4
          Source: unknownTCP traffic detected without corresponding DNS query: 190.114.244.182
          Source: unknownTCP traffic detected without corresponding DNS query: 190.114.244.182
          Source: unknownTCP traffic detected without corresponding DNS query: 190.114.244.182
          Source: unknownTCP traffic detected without corresponding DNS query: 91.250.96.22
          Source: unknownTCP traffic detected without corresponding DNS query: 91.250.96.22
          Source: unknownTCP traffic detected without corresponding DNS query: 91.250.96.22
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC1383 InternetReadFile,7_2_00EC1383
          Source: sensorias.exe, 00000007.00000002.468140623.000000000019A000.00000004.00000001.sdmpString found in binary or memory: http://91.250.96.22/LhqjdNLOiM5Uy7n
          Source: svchost.exe, 00000008.00000002.470899207.000001A9A7815000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
          Source: svchost.exe, 00000008.00000002.470899207.000001A9A7815000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: svchost.exe, 00000008.00000002.470899207.000001A9A7815000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
          Source: svchost.exe, 00000008.00000002.470502690.000001A9A7770000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: svchost.exe, 0000000D.00000002.308922083.000001DEADC13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
          Source: svchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
          Source: svchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
          Source: svchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
          Source: svchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
          Source: svchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
          Source: svchost.exe, 0000000D.00000003.307808919.000001DEADC5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
          Source: svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
          Source: svchost.exe, 0000000D.00000003.307770894.000001DEADC49000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
          Source: svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
          Source: svchost.exe, 0000000D.00000002.308975544.000001DEADC42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
          Source: svchost.exe, 0000000D.00000002.308975544.000001DEADC42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
          Source: svchost.exe, 0000000D.00000002.309009360.000001DEADC5C000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.307826390.000001DEADC40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
          Source: svchost.exe, 0000000D.00000003.307808919.000001DEADC5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
          Source: svchost.exe, 0000000D.00000002.309009360.000001DEADC5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
          Source: svchost.exe, 0000000D.00000002.309009360.000001DEADC5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
          Source: svchost.exe, 0000000D.00000003.307770894.000001DEADC49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
          Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
          Source: svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
          Source: svchost.exe, 0000000D.00000003.286040373.000001DEADC32000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
          Source: svchost.exe, 00000008.00000002.471027858.000001A9A7843000.00000004.00000001.sdmpString found in binary or memory: https://fs.microsoft.cH
          Source: svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
          Source: svchost.exe, 0000000D.00000002.308922083.000001DEADC13000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
          Source: svchost.exe, 0000000D.00000003.307841187.000001DEADC56000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
          Source: svchost.exe, 0000000D.00000003.307841187.000001DEADC56000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
          Source: svchost.exe, 0000000D.00000003.307826390.000001DEADC40000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
          Source: svchost.exe, 0000000D.00000003.307847685.000001DEADC41000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
          Source: svchost.exe, 0000000D.00000003.307770894.000001DEADC49000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
          Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
          Source: methodsnetsh.exe, 00000000.00000002.205022042.000000000084A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0042CB9E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_0042CB9E
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0042CB9E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_0042CB9E

          E-Banking Fraud:

          barindex
          Detected Emotet e-Banking trojanShow sources
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009DDE9C1_2_009DDE9C
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00ECDE9C7_2_00ECDE9C
          Yara detected EmotetShow sources
          Source: Yara matchFile source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.methodsnetsh.exe.62053f.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.sensorias.exe.ea053f.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.sensorias.exe.ab053f.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.methodsnetsh.exe.6f053f.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.204962255.0000000000620000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.204989867.00000000007D1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.224058115.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.224911448.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.224082773.0000000000F61000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.469150686.0000000000EC1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.469102796.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.225065332.00000000009D1000.00000020.00000001.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,1_2_009D1F75
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,7_2_00EC1F75

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
          Source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
          Source: 0.2.methodsnetsh.exe.62053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 7.2.sensorias.exe.ea053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
          Source: 6.2.sensorias.exe.ab053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 1.2.methodsnetsh.exe.6f053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
          Source: 00000000.00000002.204962255.0000000000620000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000000.00000002.204989867.00000000007D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000006.00000002.224058115.0000000000AB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000001.00000002.224911448.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000006.00000002.224082773.0000000000F61000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000007.00000002.469150686.0000000000EC1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000007.00000002.469102796.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000001.00000002.225065332.00000000009D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009DE068 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,1_2_009DE068
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D1D2B CreateProcessAsUserW,CreateProcessW,1_2_009D1D2B
          Source: C:\Windows\SysWOW64\sensorias.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
          Source: C:\Users\user\Desktop\methodsnetsh.exeFile deleted: C:\Windows\SysWOW64\sensorias.exe:Zone.IdentifierJump to behavior
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0041D2A40_2_0041D2A4
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0042DBF60_2_0042DBF6
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_00420CE20_2_00420CE2
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0041D2A41_2_0041D2A4
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0042DBF61_2_0042DBF6
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_00420CE21_2_00420CE2
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006F30E81_2_006F30E8
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006F30E41_2_006F30E4
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006F28C11_2_006F28C1
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D2F821_2_009D2F82
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D37A91_2_009D37A9
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D37A51_2_009D37A5
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00AB30E86_2_00AB30E8
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00AB30E46_2_00AB30E4
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00AB28C16_2_00AB28C1
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00F637A56_2_00F637A5
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00F637A96_2_00F637A9
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00F62F826_2_00F62F82
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EA30E87_2_00EA30E8
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EA30E47_2_00EA30E4
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EA28C17_2_00EA28C1
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC37A97_2_00EC37A9
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC37A57_2_00EC37A5
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EC2F827_2_00EC2F82
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: String function: 0041F843 appears 36 times
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: String function: 00420649 appears 43 times
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: String function: 00431FE2 appears 40 times
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: String function: 0041DC48 appears 90 times
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: String function: 0041D6AC appears 111 times
          Source: methodsnetsh.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: methodsnetsh.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: methodsnetsh.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: methodsnetsh.exe, 00000000.00000002.204812573.0000000000442000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDShowEncoder.EXER vs methodsnetsh.exe
          Source: methodsnetsh.exe, 00000001.00000002.224720605.0000000000442000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDShowEncoder.EXER vs methodsnetsh.exe
          Source: methodsnetsh.exe, 00000001.00000002.225734467.00000000029E0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs methodsnetsh.exe
          Source: methodsnetsh.exe, 00000001.00000002.225734467.00000000029E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs methodsnetsh.exe
          Source: methodsnetsh.exe, 00000001.00000002.225577349.00000000028E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs methodsnetsh.exe
          Source: methodsnetsh.exeBinary or memory string: OriginalFilenameDShowEncoder.EXER vs methodsnetsh.exe
          Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
          Source: methodsnetsh.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
          Source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
          Source: 0.2.methodsnetsh.exe.62053f.1.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 0.2.methodsnetsh.exe.62053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 7.2.sensorias.exe.ea053f.1.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 7.2.sensorias.exe.ea053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
          Source: 6.2.sensorias.exe.ab053f.1.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 6.2.sensorias.exe.ab053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 1.2.methodsnetsh.exe.6f053f.1.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 1.2.methodsnetsh.exe.6f053f.1.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
          Source: 00000000.00000002.204962255.0000000000620000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000000.00000002.204989867.00000000007D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000006.00000002.224058115.0000000000AB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000001.00000002.224911448.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000006.00000002.224082773.0000000000F61000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000007.00000002.469150686.0000000000EC1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000007.00000002.469102796.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000001.00000002.225065332.00000000009D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: classification engineClassification label: mal96.bank.troj.evad.winEXE@18/7@0/5
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_009DE138
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,7_2_00ECE138
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009D1943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_009D1943
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_00402170 CoCreateInstance,VariantInit,VariantClear,0_2_00402170
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_00407190 CoInitialize,FindResourceA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessa0_2_00407190
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009DE138 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_009DE138
          Source: C:\Users\user\Desktop\methodsnetsh.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
          Source: C:\Windows\SysWOW64\sensorias.exeMutant created: \BaseNamedObjects\Global\I5ADD31F0
          Source: C:\Users\user\Desktop\methodsnetsh.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I5ADD31F0
          Source: C:\Users\user\Desktop\methodsnetsh.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M5ADD31F0
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3596:120:WilError_01
          Source: methodsnetsh.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\methodsnetsh.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\methodsnetsh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: methodsnetsh.exeVirustotal: Detection: 65%
          Source: methodsnetsh.exeMetadefender: Detection: 56%
          Source: methodsnetsh.exeReversingLabs: Detection: 86%
          Source: C:\Windows\SysWOW64\sensorias.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
          Source: unknownProcess created: C:\Users\user\Desktop\methodsnetsh.exe 'C:\Users\user\Desktop\methodsnetsh.exe'
          Source: C:\Users\user\Desktop\methodsnetsh.exeProcess created: C:\Users\user\Desktop\methodsnetsh.exe --4a9ea48a
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Windows\SysWOW64\sensorias.exe C:\Windows\SysWOW64\sensorias.exe
          Source: C:\Windows\SysWOW64\sensorias.exeProcess created: C:\Windows\SysWOW64\sensorias.exe --606904f7
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
          Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\methodsnetsh.exeProcess created: C:\Users\user\Desktop\methodsnetsh.exe --4a9ea48aJump to behavior
          Source: C:\Windows\SysWOW64\sensorias.exeProcess created: C:\Windows\SysWOW64\sensorias.exe --606904f7Jump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
          Source: C:\Users\user\Desktop\methodsnetsh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0042D282 LoadLibraryA,GetProcAddress,FreeLibrary,0_2_0042D282
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0041D3B0 push eax; ret 0_2_0041D3C4
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0041D3B0 push eax; ret 0_2_0041D3EC
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0041DC83 push ecx; ret 0_2_0041DC93
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 0_2_0041D6AC push eax; ret 0_2_0041D6CA
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0041D3B0 push eax; ret 1_2_0041D3C4
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0041D3B0 push eax; ret 1_2_0041D3EC
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0041DC83 push ecx; ret 1_2_0041DC93
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_0041D6AC push eax; ret 1_2_0041D6CA
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006FFD71 push edx; retf 1_2_006FFD80
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006FFD52 push edx; iretd 1_2_006FFD70
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006FFAF1 push edx; retf 1_2_006FFAF8
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006FFAD3 push edx; iretd 1_2_006FFAD4
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006FFB77 push edx; iretd 1_2_006FFB84
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006FFB0F push edx; retf 1_2_006FFB10
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_006FFB1A push edx; retf 1_2_006FFB48
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00ABFAF1 push edx; retf 6_2_00ABFAF8
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00ABFAD3 push edx; iretd 6_2_00ABFAD4
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00ABFB0F push edx; retf 6_2_00ABFB10
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00ABFB1A push edx; retf 6_2_00ABFB48
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00ABFD71 push edx; retf 6_2_00ABFD80
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00ABFB77 push edx; iretd 6_2_00ABFB84
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 6_2_00ABFD52 push edx; iretd 6_2_00ABFD70
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EAFAF1 push edx; retf 7_2_00EAFAF8
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EAFAD3 push edx; iretd 7_2_00EAFAD4
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EAFD71 push edx; retf 7_2_00EAFD80
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EAFB77 push edx; iretd 7_2_00EAFB84
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EAFD52 push edx; iretd 7_2_00EAFD70
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EAFB0F push edx; retf 7_2_00EAFB10
          Source: C:\Windows\SysWOW64\sensorias.exeCode function: 7_2_00EAFB1A push edx; retf 7_2_00EAFB48

          Persistence and Installation Behavior:

          barindex
          Drops executables to the windows directory (C:\Windows) and starts themShow sources
          Source: C:\Windows\SysWOW64\sensorias.exeExecutable created and started: C:\Windows\SysWOW64\sensorias.exeJump to behavior
          Source: C:\Users\user\Desktop\methodsnetsh.exePE file moved: C:\Windows\SysWOW64\sensorias.exeJump to behavior
          Source: C:\Users\user\Desktop\methodsnetsh.exeCode function: 1_2_009DE138 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_009DE138

          Hooking and other Techniques for Hiding and Protection: