Windows Analysis Report PHvqpLRfRl.exe

Overview

General Information

Sample Name: PHvqpLRfRl.exe
Analysis ID: 463765
MD5: d8e003f1443fd417bff275f2ce89330c
SHA1: 9489e8b85d2531b256f60803a8716a6efec34a97
SHA256: e234948d52b71a636aeb6d54c77620910456db6a65202710fed85d19246601cb
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to several IPs in different countries
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: PHvqpLRfRl.exe Avira: detected
Found malware configuration
Source: 0.2.PHvqpLRfRl.exe.3f279e.0.raw.unpack Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["74.219.172.26:80", "134.209.36.254:8080", "104.156.59.7:8080", "120.138.30.150:8080", "194.187.133.160:443", "104.236.246.93:8080", "74.208.45.104:8080", "78.187.156.31:80", "187.161.206.24:80", "94.23.216.33:80", "172.91.208.86:80", "91.211.88.52:7080", "50.91.114.38:80", "200.123.150.89:443", "121.124.124.40:7080", "62.75.141.82:80", "5.196.74.210:8080", "24.137.76.62:80", "85.105.205.77:8080", "139.130.242.43:80", "82.225.49.121:80", "110.145.77.103:80", "195.251.213.56:80", "46.105.131.79:8080", "87.106.136.232:8080", "75.139.38.211:80", "124.41.215.226:80", "203.153.216.189:7080", "162.241.242.173:8080", "219.74.18.66:443", "174.45.13.118:80", "68.188.112.97:80", "200.114.213.233:8080", "213.196.135.145:80", "61.92.17.12:80", "61.19.246.238:443", "219.75.128.166:80", "120.150.60.189:80", "123.176.25.234:80", "1.221.254.82:80", "137.119.36.33:80", "94.23.237.171:443", "74.120.55.163:80", "62.30.7.67:443", "104.131.11.150:443", "139.59.67.118:443", "209.141.54.221:8080", "79.137.83.50:443", "84.39.182.7:80", "97.82.79.83:80", "87.106.139.101:8080", "94.1.108.190:443", "37.187.72.193:8080", "139.162.108.71:8080", "93.147.212.206:80", "74.134.41.124:80", "103.86.49.11:8080", "75.80.124.4:80", "109.74.5.95:8080", "153.232.188.106:80", "168.235.67.138:7080", "50.35.17.13:80", "42.200.107.142:80", "82.80.155.43:80", "78.24.219.147:8080", "24.43.99.75:80", "107.5.122.110:80", "156.155.166.221:80", "83.169.36.251:8080", "47.144.21.12:443", "79.98.24.39:8080", "181.169.34.190:80", "139.59.60.244:8080", "85.152.162.105:80", "185.94.252.104:443", "110.5.16.198:80", "174.102.48.180:443", "140.186.212.146:80", "95.179.229.244:8080", "104.32.141.43:80", "169.239.182.217:8080", "121.7.127.163:80", "94.200.114.161:80", "201.173.217.124:443", "104.131.44.150:8080", "137.59.187.107:8080", "5.39.91.110:7080", "203.117.253.142:80", "157.245.99.39:8080", "176.111.60.55:8080", "95.213.236.64:8080", "220.245.198.194:80", "37.139.21.175:8080", "89.216.122.92:80", "139.99.158.11:443", "24.179.13.119:80", "188.219.31.12:80"]}
Multi AV Scanner detection for submitted file
Source: PHvqpLRfRl.exe Virustotal: Detection: 77% Perma Link
Source: PHvqpLRfRl.exe Metadefender: Detection: 51% Perma Link
Source: PHvqpLRfRl.exe ReversingLabs: Detection: 89%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_01144C40 CryptAcquireContextA,CryptAcquireContextA, 0_2_01144C40
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_01144C40 CryptAcquireContextA,CryptAcquireContextA, 1_2_01144C40
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00402210 CryptDestroyHash,CryptExportKey,CryptDuplicateHash,CryptGetHashParam,CryptEncrypt,memcpy,GetProcessHeap,HeapFree, 1_2_00402210
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_004025A0 CryptAcquireContextW,CryptImportKey,LocalFree,CryptCreateHash,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey, 1_2_004025A0
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00401FA0 CryptDuplicateHash,CryptDestroyHash,memcpy, 1_2_00401FA0

Compliance:

barindex
Uses 32bit PE files
Source: PHvqpLRfRl.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: PHvqpLRfRl.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_004038B0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose, 1_2_004038B0

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 74.219.172.26:80
Source: Malware configuration extractor IPs: 134.209.36.254:8080
Source: Malware configuration extractor IPs: 104.156.59.7:8080
Source: Malware configuration extractor IPs: 120.138.30.150:8080
Source: Malware configuration extractor IPs: 194.187.133.160:443
Source: Malware configuration extractor IPs: 104.236.246.93:8080
Source: Malware configuration extractor IPs: 74.208.45.104:8080
Source: Malware configuration extractor IPs: 78.187.156.31:80
Source: Malware configuration extractor IPs: 187.161.206.24:80
Source: Malware configuration extractor IPs: 94.23.216.33:80
Source: Malware configuration extractor IPs: 172.91.208.86:80
Source: Malware configuration extractor IPs: 91.211.88.52:7080
Source: Malware configuration extractor IPs: 50.91.114.38:80
Source: Malware configuration extractor IPs: 200.123.150.89:443
Source: Malware configuration extractor IPs: 121.124.124.40:7080
Source: Malware configuration extractor IPs: 62.75.141.82:80
Source: Malware configuration extractor IPs: 5.196.74.210:8080
Source: Malware configuration extractor IPs: 24.137.76.62:80
Source: Malware configuration extractor IPs: 85.105.205.77:8080
Source: Malware configuration extractor IPs: 139.130.242.43:80
Source: Malware configuration extractor IPs: 82.225.49.121:80
Source: Malware configuration extractor IPs: 110.145.77.103:80
Source: Malware configuration extractor IPs: 195.251.213.56:80
Source: Malware configuration extractor IPs: 46.105.131.79:8080
Source: Malware configuration extractor IPs: 87.106.136.232:8080
Source: Malware configuration extractor IPs: 75.139.38.211:80
Source: Malware configuration extractor IPs: 124.41.215.226:80
Source: Malware configuration extractor IPs: 203.153.216.189:7080
Source: Malware configuration extractor IPs: 162.241.242.173:8080
Source: Malware configuration extractor IPs: 219.74.18.66:443
Source: Malware configuration extractor IPs: 174.45.13.118:80
Source: Malware configuration extractor IPs: 68.188.112.97:80
Source: Malware configuration extractor IPs: 200.114.213.233:8080
Source: Malware configuration extractor IPs: 213.196.135.145:80
Source: Malware configuration extractor IPs: 61.92.17.12:80
Source: Malware configuration extractor IPs: 61.19.246.238:443
Source: Malware configuration extractor IPs: 219.75.128.166:80
Source: Malware configuration extractor IPs: 120.150.60.189:80
Source: Malware configuration extractor IPs: 123.176.25.234:80
Source: Malware configuration extractor IPs: 1.221.254.82:80
Source: Malware configuration extractor IPs: 137.119.36.33:80
Source: Malware configuration extractor IPs: 94.23.237.171:443
Source: Malware configuration extractor IPs: 74.120.55.163:80
Source: Malware configuration extractor IPs: 62.30.7.67:443
Source: Malware configuration extractor IPs: 104.131.11.150:443
Source: Malware configuration extractor IPs: 139.59.67.118:443
Source: Malware configuration extractor IPs: 209.141.54.221:8080
Source: Malware configuration extractor IPs: 79.137.83.50:443
Source: Malware configuration extractor IPs: 84.39.182.7:80
Source: Malware configuration extractor IPs: 97.82.79.83:80
Source: Malware configuration extractor IPs: 87.106.139.101:8080
Source: Malware configuration extractor IPs: 94.1.108.190:443
Source: Malware configuration extractor IPs: 37.187.72.193:8080
Source: Malware configuration extractor IPs: 139.162.108.71:8080
Source: Malware configuration extractor IPs: 93.147.212.206:80
Source: Malware configuration extractor IPs: 74.134.41.124:80
Source: Malware configuration extractor IPs: 103.86.49.11:8080
Source: Malware configuration extractor IPs: 75.80.124.4:80
Source: Malware configuration extractor IPs: 109.74.5.95:8080
Source: Malware configuration extractor IPs: 153.232.188.106:80
Source: Malware configuration extractor IPs: 168.235.67.138:7080
Source: Malware configuration extractor IPs: 50.35.17.13:80
Source: Malware configuration extractor IPs: 42.200.107.142:80
Source: Malware configuration extractor IPs: 82.80.155.43:80
Source: Malware configuration extractor IPs: 78.24.219.147:8080
Source: Malware configuration extractor IPs: 24.43.99.75:80
Source: Malware configuration extractor IPs: 107.5.122.110:80
Source: Malware configuration extractor IPs: 156.155.166.221:80
Source: Malware configuration extractor IPs: 83.169.36.251:8080
Source: Malware configuration extractor IPs: 47.144.21.12:443
Source: Malware configuration extractor IPs: 79.98.24.39:8080
Source: Malware configuration extractor IPs: 181.169.34.190:80
Source: Malware configuration extractor IPs: 139.59.60.244:8080
Source: Malware configuration extractor IPs: 85.152.162.105:80
Source: Malware configuration extractor IPs: 185.94.252.104:443
Source: Malware configuration extractor IPs: 110.5.16.198:80
Source: Malware configuration extractor IPs: 174.102.48.180:443
Source: Malware configuration extractor IPs: 140.186.212.146:80
Source: Malware configuration extractor IPs: 95.179.229.244:8080
Source: Malware configuration extractor IPs: 104.32.141.43:80
Source: Malware configuration extractor IPs: 169.239.182.217:8080
Source: Malware configuration extractor IPs: 121.7.127.163:80
Source: Malware configuration extractor IPs: 94.200.114.161:80
Source: Malware configuration extractor IPs: 201.173.217.124:443
Source: Malware configuration extractor IPs: 104.131.44.150:8080
Source: Malware configuration extractor IPs: 137.59.187.107:8080
Source: Malware configuration extractor IPs: 5.39.91.110:7080
Source: Malware configuration extractor IPs: 203.117.253.142:80
Source: Malware configuration extractor IPs: 157.245.99.39:8080
Source: Malware configuration extractor IPs: 176.111.60.55:8080
Source: Malware configuration extractor IPs: 95.213.236.64:8080
Source: Malware configuration extractor IPs: 220.245.198.194:80
Source: Malware configuration extractor IPs: 37.139.21.175:8080
Source: Malware configuration extractor IPs: 89.216.122.92:80
Source: Malware configuration extractor IPs: 139.99.158.11:443
Source: Malware configuration extractor IPs: 24.179.13.119:80
Source: Malware configuration extractor IPs: 188.219.31.12:80
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 33
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49726 -> 134.209.36.254:8080
Source: global traffic TCP traffic: 192.168.2.3:49736 -> 104.156.59.7:8080
Source: global traffic TCP traffic: 192.168.2.3:49737 -> 120.138.30.150:8080
Source: global traffic TCP traffic: 192.168.2.3:49746 -> 104.236.246.93:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 94.200.114.161 94.200.114.161
Source: Joe Sandbox View IP Address: 174.102.48.180 174.102.48.180
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DU-AS1AE DU-AS1AE
Source: Joe Sandbox View ASN Name: TELECABLESpainES TELECABLESpainES
Source: Joe Sandbox View ASN Name: TWC-10796-MIDWESTUS TWC-10796-MIDWESTUS
Source: unknown TCP traffic detected without corresponding DNS query: 74.219.172.26
Source: unknown TCP traffic detected without corresponding DNS query: 74.219.172.26
Source: unknown TCP traffic detected without corresponding DNS query: 74.219.172.26
Source: unknown TCP traffic detected without corresponding DNS query: 134.209.36.254
Source: unknown TCP traffic detected without corresponding DNS query: 134.209.36.254
Source: unknown TCP traffic detected without corresponding DNS query: 134.209.36.254
Source: unknown TCP traffic detected without corresponding DNS query: 104.156.59.7
Source: unknown TCP traffic detected without corresponding DNS query: 104.156.59.7
Source: unknown TCP traffic detected without corresponding DNS query: 104.156.59.7
Source: unknown TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.187.133.160
Source: unknown TCP traffic detected without corresponding DNS query: 194.187.133.160
Source: unknown TCP traffic detected without corresponding DNS query: 194.187.133.160
Source: unknown TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp String found in binary or memory: http://104.156.59.7:8080/3x1oIXeY
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp String found in binary or memory: http://104.156.59.7:8080/3x1oIXewHYdNlV01/MCzATjJI1I/RPBsOTo7qERajOZz1lh/LN3m/MNxh/
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp String found in binary or memory: http://104.156.59.7:8080/3x1oIXewHYdNlV01/MCzATjJI1I/RPBsOTo7qERajOZz1lh/LN3m/MNxh/#?
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp String found in binary or memory: http://104.156.59.7:8080/3x1oIXewHYdNlV01/MCzATjJI1I/RPBsOTo7qERajOZz1lh/LN3m/MNxh/3
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp String found in binary or memory: http://104.156.59.7:8080/3x1oIXewHYdNlV01/MCzATjJI1I/RPBsOTo7qERajOZz1lh/LN3m/MNxh/m
Source: ipsmsnap.exe, 00000001.00000002.470677696.00000000030B0000.00000004.00000001.sdmp String found in binary or memory: http://104.236.246.93:8080/nNKoq5kK/
Source: ipsmsnap.exe, 00000001.00000002.470792566.00000000030DE000.00000004.00000001.sdmp String found in binary or memory: http://104.236.246.93:8080/nNKoq5kK/=
Source: ipsmsnap.exe, 00000001.00000002.470677696.00000000030B0000.00000004.00000001.sdmp String found in binary or memory: http://104.236.246.93:8080/nNKoq5kK/n
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp String found in binary or memory: http://120.138.30.150:8080/2aF5ml4oR/WXLdIdZGpJmXIp5/
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp String found in binary or memory: http://120.138.30.150:8080/2aF5ml4oR/WXLdIdZGpJmXIp5/PBsOTo7qERajOZz1lh/LN3m/MNxh/5?
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp String found in binary or memory: http://120.138.30.150:8080/2aF5ml4oR/WXLdIdZGpJmXIp5/c8
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp String found in binary or memory: http://134.209.36.254:8080/tWwU/w3xB1Bhz7yaslBgJS/q49F3NAtj1IqnXaW2A/GIQOEsdbSxikR6wT/lMJv8yE/
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp String found in binary or memory: http://194.187.133.160:443/rRPAuzYPI/PCfjdWIpUQcAD/TNhKcjKj/nadJLloIjR2s5GA9b/NUnsi05bbdpoKVYXGgn/R8
Source: ipsmsnap.exe, 00000001.00000003.276535300.00000000030C4000.00000004.00000001.sdmp String found in binary or memory: http://74.219.172.26/3vre0AbvHoC/72zolH2gtmnbq3QOxa/GmI2ntvI/3wNRQ8Motcr5/
Source: svchost.exe, 00000004.00000002.470968831.0000025BE688D000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000004.00000002.470968831.0000025BE688D000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000004.00000002.470968831.0000025BE688D000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000004.00000002.470303423.0000025BE66A0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000009.00000002.309127915.00000184DC213000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000006.00000002.467720725.0000025C8183D000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000002.467720725.0000025C8183D000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000006.00000002.467720725.0000025C8183D000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000006.00000002.467720725.0000025C8183D000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000006.00000002.467720725.0000025C8183D000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000003.308869309.00000184DC249000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.308869309.00000184DC249000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.309161825.00000184DC23D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.308869309.00000184DC249000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.308835499.00000184DC250000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000003.308869309.00000184DC249000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.309161825.00000184DC23D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000003.287207473.00000184DC230000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000009.00000002.309167893.00000184DC242000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000002.309167893.00000184DC242000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.308864231.00000184DC24C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.287207473.00000184DC230000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 00000009.00000003.308869309.00000184DC249000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.308864231.00000184DC24C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.308864231.00000184DC24C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000002.309195425.00000184DC265000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.309161825.00000184DC23D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.287207473.00000184DC230000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000002.309161825.00000184DC23D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.309161825.00000184DC23D000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.309127915.00000184DC213000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.287207473.00000184DC230000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.308892949.00000184DC245000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.287207473.00000184DC230000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000002.309155756.00000184DC239000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000003.308835499.00000184DC250000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: PHvqpLRfRl.exe, 00000000.00000002.202194536.0000000000A2A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 1.2.ipsmsnap.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ipsmsnap.exe.e5279e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ipsmsnap.exe.e5052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PHvqpLRfRl.exe.3f279e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PHvqpLRfRl.exe.3f052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PHvqpLRfRl.exe.980000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ipsmsnap.exe.e5052e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PHvqpLRfRl.exe.3f279e.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ipsmsnap.exe.e5279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PHvqpLRfRl.exe.3f052e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.467934925.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.467384235.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.202006890.00000000003F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.202145856.0000000000814000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.202173410.0000000000981000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.467972344.0000000000E64000.00000004.00000001.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_004025A0 CryptAcquireContextW,CryptImportKey,LocalFree,CryptCreateHash,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey, 1_2_004025A0

System Summary:

barindex
Creates files inside the system directory
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe File created: C:\Windows\SysWOW64\BackgroundTransferHost\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe File deleted: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_01159723 0_2_01159723
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_0114AFA8 0_2_0114AFA8
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_0115A181 0_2_0115A181
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_01154057 0_2_01154057
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_0115D060 0_2_0115D060
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_011533D5 0_2_011533D5
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_0114DBCA 0_2_0114DBCA
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_011572CB 0_2_011572CB
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_01153C22 0_2_01153C22
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_011537ED 0_2_011537ED
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_01158660 0_2_01158660
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_01152EE1 0_2_01152EE1
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F380E 0_2_003F380E
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F98FE 0_2_003F98FE
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F90CE 0_2_003F90CE
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F9C6E 0_2_003F9C6E
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F7F8E 0_2_003F7F8E
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_01159723 1_2_01159723
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_0114AFA8 1_2_0114AFA8
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_0115A181 1_2_0115A181
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_01154057 1_2_01154057
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_0115D060 1_2_0115D060
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_011533D5 1_2_011533D5
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_0114DBCA 1_2_0114DBCA
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_011572CB 1_2_011572CB
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_01153C22 1_2_01153C22
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_011537ED 1_2_011537ED
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_01158660 1_2_01158660
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_01152EE1 1_2_01152EE1
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_004080D0 1_2_004080D0
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_004063F0 1_2_004063F0
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00401C70 1_2_00401C70
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00407D60 1_2_00407D60
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00407530 1_2_00407530
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00E598FE 1_2_00E598FE
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00E590CE 1_2_00E590CE
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00E59C6E 1_2_00E59C6E
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00E5380E 1_2_00E5380E
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00E57F8E 1_2_00E57F8E
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: String function: 0114B2A0 appears 39 times
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: String function: 0114B2A0 appears 39 times
Sample file is different than original file name gathered from version info
Source: PHvqpLRfRl.exe, 00000000.00000002.202478074.00000000010F0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs PHvqpLRfRl.exe
Source: PHvqpLRfRl.exe, 00000000.00000002.202478074.00000000010F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PHvqpLRfRl.exe
Source: PHvqpLRfRl.exe, 00000000.00000002.202436609.0000000001090000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs PHvqpLRfRl.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Uses 32bit PE files
Source: PHvqpLRfRl.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: classification engine Classification label: mal88.troj.evad.winEXE@17/11@0/98
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00404B90 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification, 1_2_00404B90
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_011488A0 CoCreateInstance,VariantInit,VariantClear, 0_2_011488A0
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_01141850 CreateDCW,GetLastError,StartDocW,GetLastError,StartPage,GetLastError,ExtEscape,GetLastError,FindResourceW,SizeofResource,LoadResource,LockResource,GetLastError,ExtEscape,GetLastError,ExtEscape,GetLastError,EndPage,EndDoc,LocalFree,CoTaskMemFree,DeleteDC, 0_2_01141850
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5188:120:WilError_01
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Command line argument: Virtua 0_2_01143BC0
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Command line argument: lAlloc 0_2_01143BC0
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Command line argument: kernel32.dll 0_2_01143BC0
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Command line argument: 8192 0_2_01143BC0
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Command line argument: Virtua 1_2_01143BC0
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Command line argument: lAlloc 1_2_01143BC0
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Command line argument: kernel32.dll 1_2_01143BC0
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Command line argument: 8192 1_2_01143BC0
Source: PHvqpLRfRl.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PHvqpLRfRl.exe Virustotal: Detection: 77%
Source: PHvqpLRfRl.exe Metadefender: Detection: 51%
Source: PHvqpLRfRl.exe ReversingLabs: Detection: 89%
Source: unknown Process created: C:\Users\user\Desktop\PHvqpLRfRl.exe 'C:\Users\user\Desktop\PHvqpLRfRl.exe'
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Process created: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Process created: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: PHvqpLRfRl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PHvqpLRfRl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PHvqpLRfRl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PHvqpLRfRl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PHvqpLRfRl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PHvqpLRfRl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: PHvqpLRfRl.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: PHvqpLRfRl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PHvqpLRfRl.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PHvqpLRfRl.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PHvqpLRfRl.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PHvqpLRfRl.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PHvqpLRfRl.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_00811030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_00811030
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_01156216 push ecx; ret 0_2_01156229
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_0114B2E5 push ecx; ret 0_2_0114B2F8
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F782E push ecx; mov dword ptr [esp], 00002224h 0_2_003F782F
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003FE015 push 0000003Bh; ret 0_2_003FE01A
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F786E push ecx; mov dword ptr [esp], 0000A465h 0_2_003F786F
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F78BE push ecx; mov dword ptr [esp], 0000C239h 0_2_003F78BF
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F788E push ecx; mov dword ptr [esp], 00000E88h 0_2_003F788F
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F790E push ecx; mov dword ptr [esp], 0000B4A4h 0_2_003F790F
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F797E push ecx; mov dword ptr [esp], 0000272Ah 0_2_003F797F
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F794E push ecx; mov dword ptr [esp], 00001190h 0_2_003F794F
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F79DE push ecx; mov dword ptr [esp], 0000C126h 0_2_003F79DF
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F7A3E push ecx; mov dword ptr [esp], 00008285h 0_2_003F7A3F
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F7A7E push ecx; mov dword ptr [esp], 00006DE4h 0_2_003F7A7F
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003FD76E push ecx; retf 0_2_003FD7A5
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F77EE push ecx; mov dword ptr [esp], 00008F8Eh 0_2_003F77EF
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_01156216 push ecx; ret 1_2_01156229
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_0114B2E5 push ecx; ret 1_2_0114B2F8
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00405C50 push ecx; mov dword ptr [esp], 00008F8Eh 1_2_00405C51
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00405CD0 push ecx; mov dword ptr [esp], 0000A465h 1_2_00405CD1
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00405CF0 push ecx; mov dword ptr [esp], 00000E88h 1_2_00405CF1
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00405C90 push ecx; mov dword ptr [esp], 00002224h 1_2_00405C91
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00405D70 push ecx; mov dword ptr [esp], 0000B4A4h 1_2_00405D71
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00405D20 push ecx; mov dword ptr [esp], 0000C239h 1_2_00405D21
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00405DE0 push ecx; mov dword ptr [esp], 0000272Ah 1_2_00405DE1
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00405DB0 push ecx; mov dword ptr [esp], 00001190h 1_2_00405DB1
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00405E40 push ecx; mov dword ptr [esp], 0000C126h 1_2_00405E41
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00405EE0 push ecx; mov dword ptr [esp], 00006DE4h 1_2_00405EE1
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00405EA0 push ecx; mov dword ptr [esp], 00008285h 1_2_00405EA1
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00E578BE push ecx; mov dword ptr [esp], 0000C239h 1_2_00E578BF
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00E5788E push ecx; mov dword ptr [esp], 00000E88h 1_2_00E5788F
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00E5786E push ecx; mov dword ptr [esp], 0000A465h 1_2_00E5786F

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Executable created and started: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe PE file moved: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe File opened: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_0114AFA8 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0114AFA8
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 2348 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_004038B0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose, 1_2_004038B0
Source: svchost.exe, 00000004.00000002.468125375.0000025BE102A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@`
Source: svchost.exe, 00000006.00000002.470048622.0000025C82540000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.406272493.000002D9E9EB0000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.442538315.0000020D20460000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmp, svchost.exe, 00000004.00000002.470829364.0000025BE6861000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.467871912.000001431E402000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000006.00000002.470048622.0000025C82540000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.406272493.000002D9E9EB0000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.442538315.0000020D20460000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: ipsmsnap.exe, 00000001.00000002.470677696.00000000030B0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW '
Source: svchost.exe, 00000006.00000002.470048622.0000025C82540000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.406272493.000002D9E9EB0000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.442538315.0000020D20460000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000005.00000002.467943438.000001431E429000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.467809094.0000025C8186A000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.468178940.00000224C302A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000006.00000002.470048622.0000025C82540000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.406272493.000002D9E9EB0000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.442538315.0000020D20460000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_0114A9FD IsDebuggerPresent, 0_2_0114A9FD
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_01155B25 EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_01155B25
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_00811030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 0_2_00811030
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F689E mov eax, dword ptr fs:[00000030h] 0_2_003F689E
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F095E mov eax, dword ptr fs:[00000030h] 0_2_003F095E
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F59DE mov eax, dword ptr fs:[00000030h] 0_2_003F59DE
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_003F0456 mov eax, dword ptr fs:[00000030h] 0_2_003F0456
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_00811030 mov eax, dword ptr fs:[00000030h] 0_2_00811030
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00404D00 mov eax, dword ptr fs:[00000030h] 1_2_00404D00
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00403E40 mov eax, dword ptr fs:[00000030h] 1_2_00403E40
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00E5689E mov eax, dword ptr fs:[00000030h] 1_2_00E5689E
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00E50456 mov eax, dword ptr fs:[00000030h] 1_2_00E50456
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00E559DE mov eax, dword ptr fs:[00000030h] 1_2_00E559DE
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00E5095E mov eax, dword ptr fs:[00000030h] 1_2_00E5095E
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_00E61030 mov eax, dword ptr fs:[00000030h] 1_2_00E61030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_0114D5D3 GetProcessHeap, 0_2_0114D5D3
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_01150719 SetUnhandledExceptionFilter, 0_2_01150719
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_0115074A SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0115074A
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_01150719 SetUnhandledExceptionFilter, 1_2_01150719
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_0115074A SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0115074A
Source: ipsmsnap.exe, 00000001.00000002.468782451.0000000001760000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.468409509.0000026BD2060000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: ipsmsnap.exe, 00000001.00000002.468782451.0000000001760000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.468409509.0000026BD2060000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: ipsmsnap.exe, 00000001.00000002.468782451.0000000001760000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.468409509.0000026BD2060000.00000002.00000001.sdmp Binary or memory string: Progman
Source: ipsmsnap.exe, 00000001.00000002.468782451.0000000001760000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.468409509.0000026BD2060000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_0114A7BC cpuid 0_2_0114A7BC
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: EnumSystemLocalesW, 0_2_01155179
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_011551FC
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: GetLocaleInfoW, 0_2_0115500C
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: EnumSystemLocalesW, 0_2_011550BC
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: EnumSystemLocalesW, 0_2_011550FC
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: GetLocaleInfoW, 0_2_011553F1
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0115551B
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: EnumSystemLocalesW, 0_2_01150D02
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: GetLocaleInfoW, 0_2_01150D3F
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: GetLocaleInfoW, 0_2_011555C8
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: _GetLcidFromLangCountry,_GetLcidFromLangCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_01155632
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: _GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,IsValidCodePage,GetLocaleInfoW, 0_2_01154E48
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: EnumSystemLocalesW, 1_2_01155179
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 1_2_011551FC
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: GetLocaleInfoW, 1_2_0115500C
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: EnumSystemLocalesW, 1_2_011550BC
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: EnumSystemLocalesW, 1_2_011550FC
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: GetLocaleInfoW, 1_2_011553F1
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_0115551B
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: EnumSystemLocalesW, 1_2_01150D02
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: GetLocaleInfoW, 1_2_01150D3F
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: GetLocaleInfoW, 1_2_011555C8
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: _GetLcidFromLangCountry,_GetLcidFromLangCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 1_2_01155632
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: _GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,IsValidCodePage,GetLocaleInfoW, 1_2_01154E48
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Code function: 0_2_01150216 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_01150216
Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe Code function: 1_2_004052E0 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo, 1_2_004052E0
Source: C:\Users\user\Desktop\PHvqpLRfRl.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000B.00000002.468110144.0000026AEC03D000.00000004.00000001.sdmp Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.468195529.0000026AEC102000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 1.2.ipsmsnap.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ipsmsnap.exe.e5279e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ipsmsnap.exe.e5052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PHvqpLRfRl.exe.3f279e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PHvqpLRfRl.exe.3f052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PHvqpLRfRl.exe.980000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ipsmsnap.exe.e5052e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PHvqpLRfRl.exe.3f279e.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ipsmsnap.exe.e5279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PHvqpLRfRl.exe.3f052e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.467934925.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.467384235.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.202006890.00000000003F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.202145856.0000000000814000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.202173410.0000000000981000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.467972344.0000000000E64000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 463765 Sample: PHvqpLRfRl.exe Startdate: 12/08/2021 Architecture: WINDOWS Score: 88 25 169.239.182.217 xneeloZA South Africa 2->25 27 50.35.17.13 ZIPLY-FIBER-LEGACY-ASNUS United States 2->27 29 89 other IPs or domains 2->29 39 Found malware configuration 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 2 other signatures 2->45 8 PHvqpLRfRl.exe 10 2->8         started        11 svchost.exe 2->11         started        13 svchost.exe 9 1 2->13         started        16 9 other processes 2->16 signatures3 process4 dnsIp5 47 Drops executables to the windows directory (C:\Windows) and starts them 8->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->49 18 ipsmsnap.exe 20 8->18         started        51 Changes security center settings (notifications, updates, antivirus, firewall) 11->51 21 MpCmdRun.exe 1 11->21         started        37 127.0.0.1 unknown unknown 13->37 signatures6 process7 dnsIp8 31 74.219.172.26, 80 SNAPONSBSUS United States 18->31 33 120.138.30.150, 8080 SITEHOST-AS-APSiteHostNewZealandNZ New Zealand 18->33 35 4 other IPs or domains 18->35 23 conhost.exe 21->23         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.200.114.161
 unknown United Arab Emirates
15802 DU-AS1AE true
85.152.162.105
 unknown Spain
12946 TELECABLESpainES true
174.102.48.180
 unknown United States
10796 TWC-10796-MIDWESTUS true
169.239.182.217
 unknown South Africa
37153 xneeloZA true
200.123.150.89
 unknown Argentina
16814 NSSSAAR true
220.245.198.194
 unknown Australia
7545 TPG-INTERNET-APTPGTelecomLimitedAU true
104.131.11.150
 unknown United States
14061 DIGITALOCEAN-ASNUS true
176.111.60.55
 unknown Ukraine
24703 UN-UKRAINE-ASKievUkraineUA true
94.23.237.171
 unknown France
16276 OVHFR true
187.161.206.24
 unknown Mexico
11888 TelevisionInternacionalSAdeCVMX true
139.162.108.71
 unknown Netherlands
63949 LINODE-APLinodeLLCUS true
156.155.166.221
 unknown South Africa
37611 AfrihostZA true
104.32.141.43
 unknown United States
20001 TWC-20001-PACWESTUS true
94.1.108.190
 unknown United Kingdom
5607 BSKYB-BROADBAND-ASGB true
87.106.139.101
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
213.196.135.145
 unknown Switzerland
21040 DATAPARKCH true
62.30.7.67
 unknown United Kingdom
5089 NTLGB true
79.98.24.39
 unknown Lithuania
62282 RACKRAYUABRakrejusLT true
107.5.122.110
 unknown United States
7922 COMCAST-7922US true
75.139.38.211
 unknown United States
20115 CHARTER-20115US true
87.106.136.232
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
110.5.16.198
 unknown Japan 4685 ASAHI-NETAsahiNetJP true
104.131.44.150
 unknown United States
14061 DIGITALOCEAN-ASNUS true
62.75.141.82
 unknown Germany
8972 GD-EMEA-DC-SXB1DE true
124.41.215.226
 unknown Nepal
17501 WLINK-NEPAL-AS-APWorldLinkCommunicationsPvtLtdNP true
172.91.208.86
 unknown United States
20001 TWC-20001-PACWESTUS true
37.139.21.175
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS true
194.187.133.160
 unknown Bulgaria
13124 IBGCBG true
24.43.99.75
 unknown United States
20001 TWC-20001-PACWESTUS true
95.213.236.64
 unknown Russian Federation
49505 SELECTELRU true
46.105.131.79
 unknown France
16276 OVHFR true
139.130.242.43
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU true
82.80.155.43
 unknown Israel
8551 BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL true
110.145.77.103
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU true
61.92.17.12
 unknown Hong Kong
9269 HKBN-AS-APHongKongBroadbandNetworkLtdHK true
120.150.60.189
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU true
93.147.212.206
 unknown Italy
30722 VODAFONE-IT-ASNIT true
91.211.88.52
 unknown Ukraine
206638 HOSTFORYUA true
68.188.112.97
 unknown United States
20115 CHARTER-20115US true
153.232.188.106
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP true
140.186.212.146
 unknown United States
11232 MIDCO-NETUS true
121.7.127.163
 unknown Singapore
9506 SINGTEL-FIBRESingtelFibreBroadbandSG true
50.35.17.13
 unknown United States
27017 ZIPLY-FIBER-LEGACY-ASNUS true
157.245.99.39
 unknown United States
14061 DIGITALOCEAN-ASNUS true
203.153.216.189
 unknown Indonesia
45291 SURF-IDPTSurfindoNetworkID true
174.45.13.118
 unknown United States
33588 BRESNAN-33588US true
162.241.242.173
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
85.105.205.77
 unknown Turkey
9121 TTNETTR true
123.176.25.234
 unknown Maldives
7642 DHIRAAGU-MV-APDHIVEHIRAAJJEYGEGULHUNPLCMV true
74.120.55.163
 unknown Canada
32315 WJBTN-ASCA true
50.91.114.38
 unknown United States
33363 BHN-33363US true
200.114.213.233
 unknown Argentina
10318 TelecomArgentinaSAAR true
78.24.219.147
 unknown Russian Federation
29182 THEFIRST-ASRU true
24.179.13.119
 unknown United States
20115 CHARTER-20115US true
104.156.59.7
 unknown United States
29802 HVC-ASUS true
203.117.253.142
 unknown Singapore
9874 STARHUB-MOBILEStarHubLtdSG true
201.173.217.124
 unknown Mexico
11888 TelevisionInternacionalSAdeCVMX true
139.99.158.11
 unknown Canada
16276 OVHFR true
134.209.36.254
 unknown United States
14061 DIGITALOCEAN-ASNUS true
195.251.213.56
 unknown Greece
12364 UOMGR true
75.80.124.4
 unknown United States
20001 TWC-20001-PACWESTUS true
121.124.124.40
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
47.144.21.12
 unknown United States
5650 FRONTIER-FRTRUS true
139.59.60.244
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
61.19.246.238
 unknown Thailand
9335 CAT-CLOUD-APCATTelecomPublicCompanyLimitedTH true
168.235.67.138
 unknown United States
3842 RAMNODEUS true
139.59.67.118
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
137.59.187.107
 unknown Hong Kong
18106 VIEWQWEST-SG-APViewqwestPteLtdSG true
219.74.18.66
 unknown Singapore
9506 SINGTEL-FIBRESingtelFibreBroadbandSG true
78.187.156.31
 unknown Turkey
9121 TTNETTR true
188.219.31.12
 unknown Italy
30722 VODAFONE-IT-ASNIT true
83.169.36.251
 unknown Germany
20773 GODADDYDE true
74.134.41.124
 unknown United States
10796 TWC-10796-MIDWESTUS true
5.196.74.210
 unknown France
16276 OVHFR true
42.200.107.142
 unknown Hong Kong
4760 HKTIMS-APHKTLimitedHK true
1.221.254.82
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
74.208.45.104
 unknown United States
8560 ONEANDONE-ASBrauerstrasse48DE true
120.138.30.150
 unknown New Zealand
45179 SITEHOST-AS-APSiteHostNewZealandNZ true
84.39.182.7
 unknown Spain
15704 AS15704ES true
97.82.79.83
 unknown United States
20115 CHARTER-20115US true
24.137.76.62
 unknown Canada
11260 EASTLINK-HSICA true
82.225.49.121
 unknown France
12322 PROXADFR true
37.187.72.193
 unknown France
16276 OVHFR true
181.169.34.190
 unknown Argentina
10318 TelecomArgentinaSAAR true
95.179.229.244
 unknown Netherlands
20473 AS-CHOOPAUS true
109.74.5.95
 unknown Sweden
43948 GLESYS-ASSE true
74.219.172.26
 unknown United States
5787 SNAPONSBSUS true
79.137.83.50
 unknown France
16276 OVHFR true
103.86.49.11
 unknown Thailand
58955 BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH true
209.141.54.221
 unknown United States
53667 PONYNETUS true
89.216.122.92
 unknown Serbia
31042 SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemreze true
185.94.252.104
 unknown Germany
197890 MEGASERVERS-DE true
5.39.91.110
 unknown France
16276 OVHFR true
137.119.36.33
 unknown United States
11426 TWC-11426-CAROLINASUS true
104.236.246.93
 unknown United States
14061 DIGITALOCEAN-ASNUS true
94.23.216.33
 unknown France
16276 OVHFR true
219.75.128.166
 unknown Japan 17511 OPTAGEOPTAGEIncJP true

Private
IP
127.0.0.1