Loading ...

Play interactive tourEdit tour

Windows Analysis Report PHvqpLRfRl.exe

Overview

General Information

Sample Name:PHvqpLRfRl.exe
Analysis ID:463765
MD5:d8e003f1443fd417bff275f2ce89330c
SHA1:9489e8b85d2531b256f60803a8716a6efec34a97
SHA256:e234948d52b71a636aeb6d54c77620910456db6a65202710fed85d19246601cb
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to several IPs in different countries
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PHvqpLRfRl.exe (PID: 3176 cmdline: 'C:\Users\user\Desktop\PHvqpLRfRl.exe' MD5: D8E003F1443FD417BFF275F2CE89330C)
    • ipsmsnap.exe (PID: 2328 cmdline: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe MD5: D8E003F1443FD417BFF275F2CE89330C)
  • svchost.exe (PID: 6020 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5948 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 592 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5452 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4068 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5084 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 1836 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5912 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 4908 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 3868 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5080 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5576 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["74.219.172.26:80", "134.209.36.254:8080", "104.156.59.7:8080", "120.138.30.150:8080", "194.187.133.160:443", "104.236.246.93:8080", "74.208.45.104:8080", "78.187.156.31:80", "187.161.206.24:80", "94.23.216.33:80", "172.91.208.86:80", "91.211.88.52:7080", "50.91.114.38:80", "200.123.150.89:443", "121.124.124.40:7080", "62.75.141.82:80", "5.196.74.210:8080", "24.137.76.62:80", "85.105.205.77:8080", "139.130.242.43:80", "82.225.49.121:80", "110.145.77.103:80", "195.251.213.56:80", "46.105.131.79:8080", "87.106.136.232:8080", "75.139.38.211:80", "124.41.215.226:80", "203.153.216.189:7080", "162.241.242.173:8080", "219.74.18.66:443", "174.45.13.118:80", "68.188.112.97:80", "200.114.213.233:8080", "213.196.135.145:80", "61.92.17.12:80", "61.19.246.238:443", "219.75.128.166:80", "120.150.60.189:80", "123.176.25.234:80", "1.221.254.82:80", "137.119.36.33:80", "94.23.237.171:443", "74.120.55.163:80", "62.30.7.67:443", "104.131.11.150:443", "139.59.67.118:443", "209.141.54.221:8080", "79.137.83.50:443", "84.39.182.7:80", "97.82.79.83:80", "87.106.139.101:8080", "94.1.108.190:443", "37.187.72.193:8080", "139.162.108.71:8080", "93.147.212.206:80", "74.134.41.124:80", "103.86.49.11:8080", "75.80.124.4:80", "109.74.5.95:8080", "153.232.188.106:80", "168.235.67.138:7080", "50.35.17.13:80", "42.200.107.142:80", "82.80.155.43:80", "78.24.219.147:8080", "24.43.99.75:80", "107.5.122.110:80", "156.155.166.221:80", "83.169.36.251:8080", "47.144.21.12:443", "79.98.24.39:8080", "181.169.34.190:80", "139.59.60.244:8080", "85.152.162.105:80", "185.94.252.104:443", "110.5.16.198:80", "174.102.48.180:443", "140.186.212.146:80", "95.179.229.244:8080", "104.32.141.43:80", "169.239.182.217:8080", "121.7.127.163:80", "94.200.114.161:80", "201.173.217.124:443", "104.131.44.150:8080", "137.59.187.107:8080", "5.39.91.110:7080", "203.117.253.142:80", "157.245.99.39:8080", "176.111.60.55:8080", "95.213.236.64:8080", "220.245.198.194:80", "37.139.21.175:8080", "89.216.122.92:80", "139.99.158.11:443", "24.179.13.119:80", "188.219.31.12:80"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.467934925.0000000000E50000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.467384235.0000000000401000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.202006890.00000000003F0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000000.00000002.202145856.0000000000814000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000000.00000002.202173410.0000000000981000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.ipsmsnap.exe.400000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              1.2.ipsmsnap.exe.e5279e.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                1.2.ipsmsnap.exe.e5052e.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  0.2.PHvqpLRfRl.exe.3f279e.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    0.2.PHvqpLRfRl.exe.3f052e.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: PHvqpLRfRl.exeAvira: detected
                      Found malware configurationShow sources
                      Source: 0.2.PHvqpLRfRl.exe.3f279e.0.raw.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["74.219.172.26:80", "134.209.36.254:8080", "104.156.59.7:8080", "120.138.30.150:8080", "194.187.133.160:443", "104.236.246.93:8080", "74.208.45.104:8080", "78.187.156.31:80", "187.161.206.24:80", "94.23.216.33:80", "172.91.208.86:80", "91.211.88.52:7080", "50.91.114.38:80", "200.123.150.89:443", "121.124.124.40:7080", "62.75.141.82:80", "5.196.74.210:8080", "24.137.76.62:80", "85.105.205.77:8080", "139.130.242.43:80", "82.225.49.121:80", "110.145.77.103:80", "195.251.213.56:80", "46.105.131.79:8080", "87.106.136.232:8080", "75.139.38.211:80", "124.41.215.226:80", "203.153.216.189:7080", "162.241.242.173:8080", "219.74.18.66:443", "174.45.13.118:80", "68.188.112.97:80", "200.114.213.233:8080", "213.196.135.145:80", "61.92.17.12:80", "61.19.246.238:443", "219.75.128.166:80", "120.150.60.189:80", "123.176.25.234:80", "1.221.254.82:80", "137.119.36.33:80", "94.23.237.171:443", "74.120.55.163:80", "62.30.7.67:443", "104.131.11.150:443", "139.59.67.118:443", "209.141.54.221:8080", "79.137.83.50:443", "84.39.182.7:80", "97.82.79.83:80", "87.106.139.101:8080", "94.1.108.190:443", "37.187.72.193:8080", "139.162.108.71:8080", "93.147.212.206:80", "74.134.41.124:80", "103.86.49.11:8080", "75.80.124.4:80", "109.74.5.95:8080", "153.232.188.106:80", "168.235.67.138:7080", "50.35.17.13:80", "42.200.107.142:80", "82.80.155.43:80", "78.24.219.147:8080", "24.43.99.75:80", "107.5.122.110:80", "156.155.166.221:80", "83.169.36.251:8080", "47.144.21.12:443", "79.98.24.39:8080", "181.169.34.190:80", "139.59.60.244:8080", "85.152.162.105:80", "185.94.252.104:443", "110.5.16.198:80", "174.102.48.180:443", "140.186.212.146:80", "95.179.229.244:8080", "104.32.141.43:80", "169.239.182.217:8080", "121.7.127.163:80", "94.200.114.161:80", "201.173.217.124:443", "104.131.44.150:8080", "137.59.187.107:8080", "5.39.91.110:7080", "203.117.253.142:80", "157.245.99.39:8080", "176.111.60.55:8080", "95.213.236.64:8080", "220.245.198.194:80", "37.139.21.175:8080", "89.216.122.92:80", "139.99.158.11:443", "24.179.13.119:80", "188.219.31.12:80"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: PHvqpLRfRl.exeVirustotal: Detection: 77%Perma Link
                      Source: PHvqpLRfRl.exeMetadefender: Detection: 51%Perma Link
                      Source: PHvqpLRfRl.exeReversingLabs: Detection: 89%
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_01144C40 CryptAcquireContextA,CryptAcquireContextA,0_2_01144C40
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_01144C40 CryptAcquireContextA,CryptAcquireContextA,1_2_01144C40
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_00402210 CryptDestroyHash,CryptExportKey,CryptDuplicateHash,CryptGetHashParam,CryptEncrypt,memcpy,GetProcessHeap,HeapFree,1_2_00402210
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_004025A0 CryptAcquireContextW,CryptImportKey,LocalFree,CryptCreateHash,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,1_2_004025A0
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_00401FA0 CryptDuplicateHash,CryptDestroyHash,memcpy,1_2_00401FA0
                      Source: PHvqpLRfRl.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: PHvqpLRfRl.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_004038B0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,1_2_004038B0

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 74.219.172.26:80
                      Source: Malware configuration extractorIPs: 134.209.36.254:8080
                      Source: Malware configuration extractorIPs: 104.156.59.7:8080
                      Source: Malware configuration extractorIPs: 120.138.30.150:8080
                      Source: Malware configuration extractorIPs: 194.187.133.160:443
                      Source: Malware configuration extractorIPs: 104.236.246.93:8080
                      Source: Malware configuration extractorIPs: 74.208.45.104:8080
                      Source: Malware configuration extractorIPs: 78.187.156.31:80
                      Source: Malware configuration extractorIPs: 187.161.206.24:80
                      Source: Malware configuration extractorIPs: 94.23.216.33:80
                      Source: Malware configuration extractorIPs: 172.91.208.86:80
                      Source: Malware configuration extractorIPs: 91.211.88.52:7080
                      Source: Malware configuration extractorIPs: 50.91.114.38:80
                      Source: Malware configuration extractorIPs: 200.123.150.89:443
                      Source: Malware configuration extractorIPs: 121.124.124.40:7080
                      Source: Malware configuration extractorIPs: 62.75.141.82:80
                      Source: Malware configuration extractorIPs: 5.196.74.210:8080
                      Source: Malware configuration extractorIPs: 24.137.76.62:80
                      Source: Malware configuration extractorIPs: 85.105.205.77:8080
                      Source: Malware configuration extractorIPs: 139.130.242.43:80
                      Source: Malware configuration extractorIPs: 82.225.49.121:80
                      Source: Malware configuration extractorIPs: 110.145.77.103:80
                      Source: Malware configuration extractorIPs: 195.251.213.56:80
                      Source: Malware configuration extractorIPs: 46.105.131.79:8080
                      Source: Malware configuration extractorIPs: 87.106.136.232:8080
                      Source: Malware configuration extractorIPs: 75.139.38.211:80
                      Source: Malware configuration extractorIPs: 124.41.215.226:80
                      Source: Malware configuration extractorIPs: 203.153.216.189:7080
                      Source: Malware configuration extractorIPs: 162.241.242.173:8080
                      Source: Malware configuration extractorIPs: 219.74.18.66:443
                      Source: Malware configuration extractorIPs: 174.45.13.118:80
                      Source: Malware configuration extractorIPs: 68.188.112.97:80
                      Source: Malware configuration extractorIPs: 200.114.213.233:8080
                      Source: Malware configuration extractorIPs: 213.196.135.145:80
                      Source: Malware configuration extractorIPs: 61.92.17.12:80
                      Source: Malware configuration extractorIPs: 61.19.246.238:443
                      Source: Malware configuration extractorIPs: 219.75.128.166:80
                      Source: Malware configuration extractorIPs: 120.150.60.189:80
                      Source: Malware configuration extractorIPs: 123.176.25.234:80
                      Source: Malware configuration extractorIPs: 1.221.254.82:80
                      Source: Malware configuration extractorIPs: 137.119.36.33:80
                      Source: Malware configuration extractorIPs: 94.23.237.171:443
                      Source: Malware configuration extractorIPs: 74.120.55.163:80
                      Source: Malware configuration extractorIPs: 62.30.7.67:443
                      Source: Malware configuration extractorIPs: 104.131.11.150:443
                      Source: Malware configuration extractorIPs: 139.59.67.118:443
                      Source: Malware configuration extractorIPs: 209.141.54.221:8080
                      Source: Malware configuration extractorIPs: 79.137.83.50:443
                      Source: Malware configuration extractorIPs: 84.39.182.7:80
                      Source: Malware configuration extractorIPs: 97.82.79.83:80
                      Source: Malware configuration extractorIPs: 87.106.139.101:8080
                      Source: Malware configuration extractorIPs: 94.1.108.190:443
                      Source: Malware configuration extractorIPs: 37.187.72.193:8080
                      Source: Malware configuration extractorIPs: 139.162.108.71:8080
                      Source: Malware configuration extractorIPs: 93.147.212.206:80
                      Source: Malware configuration extractorIPs: 74.134.41.124:80
                      Source: Malware configuration extractorIPs: 103.86.49.11:8080
                      Source: Malware configuration extractorIPs: 75.80.124.4:80
                      Source: Malware configuration extractorIPs: 109.74.5.95:8080
                      Source: Malware configuration extractorIPs: 153.232.188.106:80
                      Source: Malware configuration extractorIPs: 168.235.67.138:7080
                      Source: Malware configuration extractorIPs: 50.35.17.13:80
                      Source: Malware configuration extractorIPs: 42.200.107.142:80
                      Source: Malware configuration extractorIPs: 82.80.155.43:80
                      Source: Malware configuration extractorIPs: 78.24.219.147:8080
                      Source: Malware configuration extractorIPs: 24.43.99.75:80
                      Source: Malware configuration extractorIPs: 107.5.122.110:80
                      Source: Malware configuration extractorIPs: 156.155.166.221:80
                      Source: Malware configuration extractorIPs: 83.169.36.251:8080
                      Source: Malware configuration extractorIPs: 47.144.21.12:443
                      Source: Malware configuration extractorIPs: 79.98.24.39:8080
                      Source: Malware configuration extractorIPs: 181.169.34.190:80
                      Source: Malware configuration extractorIPs: 139.59.60.244:8080
                      Source: Malware configuration extractorIPs: 85.152.162.105:80
                      Source: Malware configuration extractorIPs: 185.94.252.104:443
                      Source: Malware configuration extractorIPs: 110.5.16.198:80
                      Source: Malware configuration extractorIPs: 174.102.48.180:443
                      Source: Malware configuration extractorIPs: 140.186.212.146:80
                      Source: Malware configuration extractorIPs: 95.179.229.244:8080
                      Source: Malware configuration extractorIPs: 104.32.141.43:80
                      Source: Malware configuration extractorIPs: 169.239.182.217:8080
                      Source: Malware configuration extractorIPs: 121.7.127.163:80
                      Source: Malware configuration extractorIPs: 94.200.114.161:80
                      Source: Malware configuration extractorIPs: 201.173.217.124:443
                      Source: Malware configuration extractorIPs: 104.131.44.150:8080
                      Source: Malware configuration extractorIPs: 137.59.187.107:8080
                      Source: Malware configuration extractorIPs: 5.39.91.110:7080
                      Source: Malware configuration extractorIPs: 203.117.253.142:80
                      Source: Malware configuration extractorIPs: 157.245.99.39:8080
                      Source: Malware configuration extractorIPs: 176.111.60.55:8080
                      Source: Malware configuration extractorIPs: 95.213.236.64:8080
                      Source: Malware configuration extractorIPs: 220.245.198.194:80
                      Source: Malware configuration extractorIPs: 37.139.21.175:8080
                      Source: Malware configuration extractorIPs: 89.216.122.92:80
                      Source: Malware configuration extractorIPs: 139.99.158.11:443
                      Source: Malware configuration extractorIPs: 24.179.13.119:80
                      Source: Malware configuration extractorIPs: 188.219.31.12:80
                      Source: unknownNetwork traffic detected: IP country count 33
                      Source: global trafficTCP traffic: 192.168.2.3:49726 -> 134.209.36.254:8080
                      Source: global trafficTCP traffic: 192.168.2.3:49736 -> 104.156.59.7:8080
                      Source: global trafficTCP traffic: 192.168.2.3:49737 -> 120.138.30.150:8080
                      Source: global trafficTCP traffic: 192.168.2.3:49746 -> 104.236.246.93:8080
                      Source: Joe Sandbox ViewIP Address: 94.200.114.161 94.200.114.161
                      Source: Joe Sandbox ViewIP Address: 174.102.48.180 174.102.48.180
                      Source: Joe Sandbox ViewASN Name: DU-AS1AE DU-AS1AE
                      Source: Joe Sandbox ViewASN Name: TELECABLESpainES TELECABLESpainES
                      Source: Joe Sandbox ViewASN Name: TWC-10796-MIDWESTUS TWC-10796-MIDWESTUS
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.219.172.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.219.172.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.219.172.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.209.36.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.209.36.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.209.36.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.156.59.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.156.59.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.156.59.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 120.138.30.150
                      Source: unknownTCP traffic detected without corresponding DNS query: 120.138.30.150
                      Source: unknownTCP traffic detected without corresponding DNS query: 120.138.30.150
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.187.133.160
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.187.133.160
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.187.133.160
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.236.246.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.236.246.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.236.246.93
                      Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmpString found in binary or memory: http://104.156.59.7:8080/3x1oIXeY
                      Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmpString found in binary or memory: http://104.156.59.7:8080/3x1oIXewHYdNlV01/MCzATjJI1I/RPBsOTo7qERajOZz1lh/LN3m/MNxh/
                      Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmpString found in binary or memory: http://104.156.59.7:8080/3x1oIXewHYdNlV01/MCzATjJI1I/RPBsOTo7qERajOZz1lh/LN3m/MNxh/#?
                      Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmpString found in binary or memory: http://104.156.59.7:8080/3x1oIXewHYdNlV01/MCzATjJI1I/RPBsOTo7qERajOZz1lh/LN3m/MNxh/3
                      Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmpString found in binary or memory: http://104.156.59.7:8080/3x1oIXewHYdNlV01/MCzATjJI1I/RPBsOTo7qERajOZz1lh/LN3m/MNxh/m
                      Source: ipsmsnap.exe, 00000001.00000002.470677696.00000000030B0000.00000004.00000001.sdmpString found in binary or memory: http://104.236.246.93:8080/nNKoq5kK/
                      Source: ipsmsnap.exe, 00000001.00000002.470792566.00000000030DE000.00000004.00000001.sdmpString found in binary or memory: http://104.236.246.93:8080/nNKoq5kK/=
                      Source: ipsmsnap.exe, 00000001.00000002.470677696.00000000030B0000.00000004.00000001.sdmpString found in binary or memory: http://104.236.246.93:8080/nNKoq5kK/n
                      Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmpString found in binary or memory: http://120.138.30.150:8080/2aF5ml4oR/WXLdIdZGpJmXIp5/
                      Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmpString found in binary or memory: http://120.138.30.150:8080/2aF5ml4oR/WXLdIdZGpJmXIp5/PBsOTo7qERajOZz1lh/LN3m/MNxh/5?
                      Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmpString found in binary or memory: http://120.138.30.150:8080/2aF5ml4oR/WXLdIdZGpJmXIp5/c8
                      Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmpString found in binary or memory: http://134.209.36.254:8080/tWwU/w3xB1Bhz7yaslBgJS/q49F3NAtj1IqnXaW2A/GIQOEsdbSxikR6wT/lMJv8yE/
                      Source: ipsmsnap.exe, 00000001.00000002.468016701.0000000000E9A000.00000004.00000020.sdmpString found in binary or memory: http://194.187.133.160:443/rRPAuzYPI/PCfjdWIpUQcAD/TNhKcjKj/nadJLloIjR2s5GA9b/NUnsi05bbdpoKVYXGgn/R8
                      Source: ipsmsnap.exe, 00000001.00000003.276535300.00000000030C4000.00000004.00000001.sdmpString found in binary or memory: http://74.219.172.26/3vre0AbvHoC/72zolH2gtmnbq3QOxa/GmI2ntvI/3wNRQ8Motcr5/
                      Source: svchost.exe, 00000004.00000002.470968831.0000025BE688D000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: svchost.exe, 00000004.00000002.470968831.0000025BE688D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: svchost.exe, 00000004.00000002.470968831.0000025BE688D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: svchost.exe, 00000004.00000002.470303423.0000025BE66A0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: svchost.exe, 00000009.00000002.309127915.00000184DC213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000006.00000002.467720725.0000025C8183D000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000006.00000002.467720725.0000025C8183D000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000006.00000002.467720725.0000025C8183D000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000006.00000002.467720725.0000025C8183D000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000006.00000002.467720725.0000025C8183D000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000009.00000003.308869309.00000184DC249000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000009.00000003.308869309.00000184DC249000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 00000009.00000002.309161825.00000184DC23D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 00000009.00000003.308869309.00000184DC249000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000009.00000003.308835499.00000184DC250000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000009.00000003.308869309.00000184DC249000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 00000009.00000002.309161825.00000184DC23D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 00000009.00000003.287207473.00000184DC230000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000009.00000002.309167893.00000184DC242000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 00000009.00000002.309167893.00000184DC242000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000009.00000003.308864231.00000184DC24C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000009.00000003.287207473.00000184DC230000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
                      Source: svchost.exe, 00000009.00000003.308869309.00000184DC249000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000009.00000003.308864231.00000184DC24C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000009.00000003.308864231.00000184DC24C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000009.00000002.309195425.00000184DC265000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 00000009.00000003.308854579.00000184DC261000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 00000009.00000002.309161825.00000184DC23D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000009.00000003.287207473.00000184DC230000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000009.00000002.309161825.00000184DC23D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 00000009.00000002.309161825.00000184DC23D000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.309127915.00000184DC213000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000009.00000003.287207473.00000184DC230000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000009.00000003.308892949.00000184DC245000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000009.00000003.287207473.00000184DC230000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 00000009.00000002.309155756.00000184DC239000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 00000009.00000003.308835499.00000184DC250000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                      Source: PHvqpLRfRl.exe, 00000000.00000002.202194536.0000000000A2A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 1.2.ipsmsnap.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.ipsmsnap.exe.e5279e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.ipsmsnap.exe.e5052e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PHvqpLRfRl.exe.3f279e.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PHvqpLRfRl.exe.3f052e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PHvqpLRfRl.exe.980000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.ipsmsnap.exe.e5052e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PHvqpLRfRl.exe.3f279e.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.ipsmsnap.exe.e5279e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PHvqpLRfRl.exe.3f052e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.467934925.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.467384235.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.202006890.00000000003F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.202145856.0000000000814000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.202173410.0000000000981000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.467972344.0000000000E64000.00000004.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_004025A0 CryptAcquireContextW,CryptImportKey,LocalFree,CryptCreateHash,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,1_2_004025A0
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeFile created: C:\Windows\SysWOW64\BackgroundTransferHost\Jump to behavior
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeFile deleted: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe:Zone.IdentifierJump to behavior
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_011597230_2_01159723
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_0114AFA80_2_0114AFA8
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_0115A1810_2_0115A181
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_011540570_2_01154057
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_0115D0600_2_0115D060
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_011533D50_2_011533D5
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_0114DBCA0_2_0114DBCA
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_011572CB0_2_011572CB
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_01153C220_2_01153C22
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_011537ED0_2_011537ED
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_011586600_2_01158660
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_01152EE10_2_01152EE1
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003F380E0_2_003F380E
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003F98FE0_2_003F98FE
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003F90CE0_2_003F90CE
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003F9C6E0_2_003F9C6E
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003F7F8E0_2_003F7F8E
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_011597231_2_01159723
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_0114AFA81_2_0114AFA8
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_0115A1811_2_0115A181
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_011540571_2_01154057
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_0115D0601_2_0115D060
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_011533D51_2_011533D5
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_0114DBCA1_2_0114DBCA
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_011572CB1_2_011572CB
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_01153C221_2_01153C22
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_011537ED1_2_011537ED
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_011586601_2_01158660
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_01152EE11_2_01152EE1
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_004080D01_2_004080D0
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_004063F01_2_004063F0
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_00401C701_2_00401C70
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_00407D601_2_00407D60
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_004075301_2_00407530
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_00E598FE1_2_00E598FE
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_00E590CE1_2_00E590CE
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_00E59C6E1_2_00E59C6E
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_00E5380E1_2_00E5380E
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_00E57F8E1_2_00E57F8E
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: String function: 0114B2A0 appears 39 times
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: String function: 0114B2A0 appears 39 times
                      Source: PHvqpLRfRl.exe, 00000000.00000002.202478074.00000000010F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PHvqpLRfRl.exe
                      Source: PHvqpLRfRl.exe, 00000000.00000002.202478074.00000000010F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PHvqpLRfRl.exe
                      Source: PHvqpLRfRl.exe, 00000000.00000002.202436609.0000000001090000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PHvqpLRfRl.exe
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                      Source: PHvqpLRfRl.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: classification engineClassification label: mal88.troj.evad.winEXE@17/11@0/98
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_00404B90 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,1_2_00404B90
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_011488A0 CoCreateInstance,VariantInit,VariantClear,0_2_011488A0
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_01141850 CreateDCW,GetLastError,StartDocW,GetLastError,StartPage,GetLastError,ExtEscape,GetLastError,FindResourceW,SizeofResource,LoadResource,LockResource,GetLastError,ExtEscape,GetLastError,ExtEscape,GetLastError,EndPage,EndDoc,LocalFree,CoTaskMemFree,DeleteDC,0_2_01141850
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5188:120:WilError_01
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCommand line argument: Virtua0_2_01143BC0
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCommand line argument: lAlloc0_2_01143BC0
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCommand line argument: kernel32.dll0_2_01143BC0
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCommand line argument: 81920_2_01143BC0
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCommand line argument: Virtua1_2_01143BC0
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCommand line argument: lAlloc1_2_01143BC0
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCommand line argument: kernel32.dll1_2_01143BC0
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCommand line argument: 81921_2_01143BC0
                      Source: PHvqpLRfRl.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: PHvqpLRfRl.exeVirustotal: Detection: 77%
                      Source: PHvqpLRfRl.exeMetadefender: Detection: 51%
                      Source: PHvqpLRfRl.exeReversingLabs: Detection: 89%
                      Source: unknownProcess created: C:\Users\user\Desktop\PHvqpLRfRl.exe 'C:\Users\user\Desktop\PHvqpLRfRl.exe'
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeProcess created: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeProcess created: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exe C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                      Source: PHvqpLRfRl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: PHvqpLRfRl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: PHvqpLRfRl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: PHvqpLRfRl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: PHvqpLRfRl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: PHvqpLRfRl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: PHvqpLRfRl.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: PHvqpLRfRl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: PHvqpLRfRl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: PHvqpLRfRl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: PHvqpLRfRl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: PHvqpLRfRl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: PHvqpLRfRl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_00811030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,0_2_00811030
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_01156216 push ecx; ret 0_2_01156229
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_0114B2E5 push ecx; ret 0_2_0114B2F8
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003F782E push ecx; mov dword ptr [esp], 00002224h0_2_003F782F
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003FE015 push 0000003Bh; ret 0_2_003FE01A
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003F786E push ecx; mov dword ptr [esp], 0000A465h0_2_003F786F
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003F78BE push ecx; mov dword ptr [esp], 0000C239h0_2_003F78BF
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003F788E push ecx; mov dword ptr [esp], 00000E88h0_2_003F788F
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003F790E push ecx; mov dword ptr [esp], 0000B4A4h0_2_003F790F
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003F797E push ecx; mov dword ptr [esp], 0000272Ah0_2_003F797F
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003F794E push ecx; mov dword ptr [esp], 00001190h0_2_003F794F
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003F79DE push ecx; mov dword ptr [esp], 0000C126h0_2_003F79DF
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003F7A3E push ecx; mov dword ptr [esp], 00008285h0_2_003F7A3F
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003F7A7E push ecx; mov dword ptr [esp], 00006DE4h0_2_003F7A7F
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003FD76E push ecx; retf 0_2_003FD7A5
                      Source: C:\Users\user\Desktop\PHvqpLRfRl.exeCode function: 0_2_003F77EE push ecx; mov dword ptr [esp], 00008F8Eh0_2_003F77EF
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_01156216 push ecx; ret 1_2_01156229
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_0114B2E5 push ecx; ret 1_2_0114B2F8
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_00405C50 push ecx; mov dword ptr [esp], 00008F8Eh1_2_00405C51
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_00405CD0 push ecx; mov dword ptr [esp], 0000A465h1_2_00405CD1
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_00405CF0 push ecx; mov dword ptr [esp], 00000E88h1_2_00405CF1
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_00405C90 push ecx; mov dword ptr [esp], 00002224h1_2_00405C91
                      Source: C:\Windows\SysWOW64\BackgroundTransferHost\ipsmsnap.exeCode function: 1_2_00405D70 push ecx; mov dword ptr [esp], 0000B4A4h1_2_00405D71