Play interactive tour

Edit tour

Windows Analysis Report KNEa2w7v3a.exe

Overview

General Information

Sample Name:	KNEa2w7v3a.exe
Analysis ID:	463770
MD5:	f8adcf71a8c4e5c16d11308dff998ece
SHA1:	2246c5925aca1446078a4cacbafeda7076eb050a
SHA256:	5303823581f2696ae62f21e42a8b0c4d446d2fa9f820e0f04a15992d6a59c59b
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Emotet

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Connects to several IPs in different countries

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

svchost.exe (PID: 5868 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

KNEa2w7v3a.exe (PID: 5700 cmdline: 'C:\Users\user\Desktop\KNEa2w7v3a.exe' MD5: F8ADCF71A8C4E5C16D11308DFF998ECE)

wiaacmgr.exe (PID: 6124 cmdline: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe MD5: F8ADCF71A8C4E5C16D11308DFF998ECE)

Windows.Media.Playback.MediaPlayer.exe (PID: 6052 cmdline: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe MD5: F8ADCF71A8C4E5C16D11308DFF998ECE)

svchost.exe (PID: 5376 cmdline: c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1736 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4260 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5900 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2024 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4364 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6076 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4788 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5728 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 496 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 1180 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 4072 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 720 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 1396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["190.202.229.74:80", "118.69.11.81:7080", "70.39.251.94:8080", "87.230.25.43:8080", "94.23.62.116:8080", "37.187.161.206:8080", "45.46.37.97:80", "138.97.60.141:7080", "177.144.130.105:8080", "169.1.39.242:80", "209.236.123.42:8080", "202.134.4.210:7080", "193.251.77.110:80", "2.45.176.233:80", "217.13.106.14:8080", "189.223.16.99:80", "190.101.156.139:80", "77.238.212.227:80", "181.58.181.9:80", "37.183.81.217:80", "74.58.215.226:80", "174.118.202.24:443", "168.197.45.36:80", "81.215.230.173:443", "192.175.111.212:7080", "216.47.196.104:80", "128.92.203.42:80", "94.176.234.118:443", "191.182.6.118:80", "212.71.237.140:8080", "24.232.228.233:80", "177.73.0.98:443", "177.23.7.151:80", "24.135.69.146:80", "83.169.21.32:7080", "189.34.181.88:80", "179.222.115.170:80", "177.144.130.105:443", "213.197.182.158:8080", "5.89.33.136:80", "77.78.196.173:443", "120.72.18.91:80", "50.28.51.143:8080", "190.64.88.186:443", "111.67.12.221:8080", "12.162.84.2:8080", "46.105.114.137:8080", "59.148.253.194:8080", "201.213.177.139:80", "82.76.52.155:80", "172.104.169.32:8080", "188.251.213.180:80", "46.43.2.95:8080", "137.74.106.111:7080", "188.135.15.49:80", "185.94.252.27:443", "197.232.36.108:80", "60.249.78.226:8080", "187.162.248.237:80", "181.129.96.162:8080", "46.101.58.37:8080", "109.242.153.9:80", "178.211.45.66:8080", "200.59.6.174:80", "83.103.179.156:80", "172.86.186.21:8080", "70.32.115.157:8080", "81.214.253.80:443", "201.49.239.200:443", "149.202.72.142:7080", "190.45.24.210:80", "186.189.249.2:80", "219.92.13.25:80", "170.81.48.2:80", "51.75.33.127:80", "192.241.143.52:8080", "45.33.77.42:8080", "152.169.22.67:80", "1.226.84.243:8080", "78.206.229.130:80", "37.179.145.105:80", "68.183.170.114:8080", "192.232.229.54:7080", "103.236.179.162:80", "70.32.84.74:8080", "79.118.74.90:80", "60.93.23.51:80", "181.120.29.49:80", "213.52.74.198:80", "51.255.165.160:8080", "183.176.82.231:80", "186.193.229.123:80", "98.103.204.12:443", "129.232.220.11:8080", "181.61.182.143:80", "68.183.190.199:8080", "190.115.18.139:8080", "200.24.255.23:80", "103.13.224.53:80", "85.214.26.7:8080", "190.24.243.186:80", "87.106.46.107:8080", "177.107.79.214:8080", "12.163.208.58:80", "187.162.250.23:443", "109.101.137.162:8080", "82.76.111.249:443", "181.30.61.163:443", "5.196.35.138:7080", "51.15.7.145:80", "192.198.91.138:443", "188.157.101.114:80", "189.2.177.210:443", "181.123.6.86:80", "109.190.35.249:80", "45.16.226.117:443", "190.190.219.184:80", "104.131.41.185:8080", "101.187.81.254:80", "62.84.75.50:80", "178.250.54.208:8080", "201.71.228.86:80", "190.92.122.226:80", "138.97.60.140:8080"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.471191876.00000000020F0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.206004453.0000000002641000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.210049440.0000000002181000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.205611516.0000000002294000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.471538485.0000000002211000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.209938070.0000000002124000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.471462272.00000000021B4000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.205562844.0000000002230000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.209835926.00000000020C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.wiaacmgr.exe.20c052e.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.wiaacmgr.exe.2180000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.Windows.Media.Playback.MediaPlayer.exe.20f052e.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.KNEa2w7v3a.exe.223279e.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.KNEa2w7v3a.exe.223052e.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.KNEa2w7v3a.exe.223052e.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.Windows.Media.Playback.MediaPlayer.exe.20f279e.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.Windows.Media.Playback.MediaPlayer.exe.20f279e.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.wiaacmgr.exe.20c052e.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.Windows.Media.Playback.MediaPlayer.exe.2210000.4.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.KNEa2w7v3a.exe.2640000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.wiaacmgr.exe.20c279e.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.wiaacmgr.exe.20c279e.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.Windows.Media.Playback.MediaPlayer.exe.20f052e.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.KNEa2w7v3a.exe.223279e.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 10 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: KNEa2w7v3a.exe

Avira: detected

Found malware configuration

Show sources

Source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f052e.1.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["190.202.229.74:80", "118.69.11.81:7080", "70.39.251.94:8080", "87.230.25.43:8080", "94.23.62.116:8080", "37.187.161.206:8080", "45.46.37.97:80", "138.97.60.141:7080", "177.144.130.105:8080", "169.1.39.242:80", "209.236.123.42:8080", "202.134.4.210:7080", "193.251.77.110:80", "2.45.176.233:80", "217.13.106.14:8080", "189.223.16.99:80", "190.101.156.139:80", "77.238.212.227:80", "181.58.181.9:80", "37.183.81.217:80", "74.58.215.226:80", "174.118.202.24:443", "168.197.45.36:80", "81.215.230.173:443", "192.175.111.212:7080", "216.47.196.104:80", "128.92.203.42:80", "94.176.234.118:443", "191.182.6.118:80", "212.71.237.140:8080", "24.232.228.233:80", "177.73.0.98:443", "177.23.7.151:80", "24.135.69.146:80", "83.169.21.32:7080", "189.34.181.88:80", "179.222.115.170:80", "177.144.130.105:443", "213.197.182.158:8080", "5.89.33.136:80", "77.78.196.173:443", "120.72.18.91:80", "50.28.51.143:8080", "190.64.88.186:443", "111.67.12.221:8080", "12.162.84.2:8080", "46.105.114.137:8080", "59.148.253.194:8080", "201.213.177.139:80", "82.76.52.155:80", "172.104.169.32:8080", "188.251.213.180:80", "46.43.2.95:8080", "137.74.106.111:7080", "188.135.15.49:80", "185.94.252.27:443", "197.232.36.108:80", "60.249.78.226:8080", "187.162.248.237:80", "181.129.96.162:8080", "46.101.58.37:8080", "109.242.153.9:80", "178.211.45.66:8080", "200.59.6.174:80", "83.103.179.156:80", "172.86.186.21:8080", "70.32.115.157:8080", "81.214.253.80:443", "201.49.239.200:443", "149.202.72.142:7080", "190.45.24.210:80", "186.189.249.2:80", "219.92.13.25:80", "170.81.48.2:80", "51.75.33.127:80", "192.241.143.52:8080", "45.33.77.42:8080", "152.169.22.67:80", "1.226.84.243:8080", "78.206.229.130:80", "37.179.145.105:80", "68.183.170.114:8080", "192.232.229.54:7080", "103.236.179.162:80", "70.32.84.74:8080", "79.118.74.90:80", "60.93.23.51:80", "181.120.29.49:80", "213.52.74.198:80", "51.255.165.160:8080", "183.176.82.231:80", "186.193.229.123:80", "98.103.204.12:443", "129.232.220.11:8080", "181.61.182.143:80", "68.183.190.199:8080", "190.115.18.139:8080", "200.24.255.23:80", "103.13.224.53:80", "85.214.26.7:8080", "190.24.243.186:80", "87.106.46.107:8080", "177.107.79.214:8080", "12.163.208.58:80", "187.162.250.23:443", "109.101.137.162:8080", "82.76.111.249:443", "181.30.61.163:443", "5.196.35.138:7080", "51.15.7.145:80", "192.198.91.138:443", "188.157.101.114:80", "189.2.177.210:443", "181.123.6.86:80", "109.190.35.249:80", "45.16.226.117:443", "190.190.219.184:80", "104.131.41.185:8080", "101.187.81.254:80", "62.84.75.50:80", "178.250.54.208:8080", "201.71.228.86:80", "190.92.122.226:80", "138.97.60.140:8080"]}

Multi AV Scanner detection for submitted file

Show sources

Source: KNEa2w7v3a.exe	Virustotal: Detection: 88%	Perma Link
Source: KNEa2w7v3a.exe	Metadefender: Detection: 48%	Perma Link
Source: KNEa2w7v3a.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Show sources

Source: KNEa2w7v3a.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_00401600 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,EncryptFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,CreateWindowExA,ShowWindow,UpdateWindow,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,TranslateMessage,DispatchMessageA,GetMessageA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_00401600 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,EncryptFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,CreateWindowExA,ShowWindow,UpdateWindow,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,TranslateMessage,DispatchMessageA,GetMessageA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_00401600 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,EncryptFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,CreateWindowExA,ShowWindow,UpdateWindow,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,TranslateMessage,DispatchMessageA,GetMessageA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_02212680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_022122C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam,
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_02211FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap,

Source: KNEa2w7v3a.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02643A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_02183A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_02213A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 190.202.229.74:80
Source: Malware configuration extractor	IPs: 118.69.11.81:7080
Source: Malware configuration extractor	IPs: 70.39.251.94:8080
Source: Malware configuration extractor	IPs: 87.230.25.43:8080
Source: Malware configuration extractor	IPs: 94.23.62.116:8080
Source: Malware configuration extractor	IPs: 37.187.161.206:8080
Source: Malware configuration extractor	IPs: 45.46.37.97:80
Source: Malware configuration extractor	IPs: 138.97.60.141:7080
Source: Malware configuration extractor	IPs: 177.144.130.105:8080
Source: Malware configuration extractor	IPs: 169.1.39.242:80
Source: Malware configuration extractor	IPs: 209.236.123.42:8080
Source: Malware configuration extractor	IPs: 202.134.4.210:7080
Source: Malware configuration extractor	IPs: 193.251.77.110:80
Source: Malware configuration extractor	IPs: 2.45.176.233:80
Source: Malware configuration extractor	IPs: 217.13.106.14:8080
Source: Malware configuration extractor	IPs: 189.223.16.99:80
Source: Malware configuration extractor	IPs: 190.101.156.139:80
Source: Malware configuration extractor	IPs: 77.238.212.227:80
Source: Malware configuration extractor	IPs: 181.58.181.9:80
Source: Malware configuration extractor	IPs: 37.183.81.217:80
Source: Malware configuration extractor	IPs: 74.58.215.226:80
Source: Malware configuration extractor	IPs: 174.118.202.24:443
Source: Malware configuration extractor	IPs: 168.197.45.36:80
Source: Malware configuration extractor	IPs: 81.215.230.173:443
Source: Malware configuration extractor	IPs: 192.175.111.212:7080
Source: Malware configuration extractor	IPs: 216.47.196.104:80
Source: Malware configuration extractor	IPs: 128.92.203.42:80
Source: Malware configuration extractor	IPs: 94.176.234.118:443
Source: Malware configuration extractor	IPs: 191.182.6.118:80
Source: Malware configuration extractor	IPs: 212.71.237.140:8080
Source: Malware configuration extractor	IPs: 24.232.228.233:80
Source: Malware configuration extractor	IPs: 177.73.0.98:443
Source: Malware configuration extractor	IPs: 177.23.7.151:80
Source: Malware configuration extractor	IPs: 24.135.69.146:80
Source: Malware configuration extractor	IPs: 83.169.21.32:7080
Source: Malware configuration extractor	IPs: 189.34.181.88:80
Source: Malware configuration extractor	IPs: 179.222.115.170:80
Source: Malware configuration extractor	IPs: 177.144.130.105:443
Source: Malware configuration extractor	IPs: 213.197.182.158:8080
Source: Malware configuration extractor	IPs: 5.89.33.136:80
Source: Malware configuration extractor	IPs: 77.78.196.173:443
Source: Malware configuration extractor	IPs: 120.72.18.91:80
Source: Malware configuration extractor	IPs: 50.28.51.143:8080
Source: Malware configuration extractor	IPs: 190.64.88.186:443
Source: Malware configuration extractor	IPs: 111.67.12.221:8080
Source: Malware configuration extractor	IPs: 12.162.84.2:8080
Source: Malware configuration extractor	IPs: 46.105.114.137:8080
Source: Malware configuration extractor	IPs: 59.148.253.194:8080
Source: Malware configuration extractor	IPs: 201.213.177.139:80
Source: Malware configuration extractor	IPs: 82.76.52.155:80
Source: Malware configuration extractor	IPs: 172.104.169.32:8080
Source: Malware configuration extractor	IPs: 188.251.213.180:80
Source: Malware configuration extractor	IPs: 46.43.2.95:8080
Source: Malware configuration extractor	IPs: 137.74.106.111:7080
Source: Malware configuration extractor	IPs: 188.135.15.49:80
Source: Malware configuration extractor	IPs: 185.94.252.27:443
Source: Malware configuration extractor	IPs: 197.232.36.108:80
Source: Malware configuration extractor	IPs: 60.249.78.226:8080
Source: Malware configuration extractor	IPs: 187.162.248.237:80
Source: Malware configuration extractor	IPs: 181.129.96.162:8080
Source: Malware configuration extractor	IPs: 46.101.58.37:8080
Source: Malware configuration extractor	IPs: 109.242.153.9:80
Source: Malware configuration extractor	IPs: 178.211.45.66:8080
Source: Malware configuration extractor	IPs: 200.59.6.174:80
Source: Malware configuration extractor	IPs: 83.103.179.156:80
Source: Malware configuration extractor	IPs: 172.86.186.21:8080
Source: Malware configuration extractor	IPs: 70.32.115.157:8080
Source: Malware configuration extractor	IPs: 81.214.253.80:443
Source: Malware configuration extractor	IPs: 201.49.239.200:443
Source: Malware configuration extractor	IPs: 149.202.72.142:7080
Source: Malware configuration extractor	IPs: 190.45.24.210:80
Source: Malware configuration extractor	IPs: 186.189.249.2:80
Source: Malware configuration extractor	IPs: 219.92.13.25:80
Source: Malware configuration extractor	IPs: 170.81.48.2:80
Source: Malware configuration extractor	IPs: 51.75.33.127:80
Source: Malware configuration extractor	IPs: 192.241.143.52:8080
Source: Malware configuration extractor	IPs: 45.33.77.42:8080
Source: Malware configuration extractor	IPs: 152.169.22.67:80
Source: Malware configuration extractor	IPs: 1.226.84.243:8080
Source: Malware configuration extractor	IPs: 78.206.229.130:80
Source: Malware configuration extractor	IPs: 37.179.145.105:80
Source: Malware configuration extractor	IPs: 68.183.170.114:8080
Source: Malware configuration extractor	IPs: 192.232.229.54:7080
Source: Malware configuration extractor	IPs: 103.236.179.162:80
Source: Malware configuration extractor	IPs: 70.32.84.74:8080
Source: Malware configuration extractor	IPs: 79.118.74.90:80
Source: Malware configuration extractor	IPs: 60.93.23.51:80
Source: Malware configuration extractor	IPs: 181.120.29.49:80
Source: Malware configuration extractor	IPs: 213.52.74.198:80
Source: Malware configuration extractor	IPs: 51.255.165.160:8080
Source: Malware configuration extractor	IPs: 183.176.82.231:80
Source: Malware configuration extractor	IPs: 186.193.229.123:80
Source: Malware configuration extractor	IPs: 98.103.204.12:443
Source: Malware configuration extractor	IPs: 129.232.220.11:8080
Source: Malware configuration extractor	IPs: 181.61.182.143:80
Source: Malware configuration extractor	IPs: 68.183.190.199:8080
Source: Malware configuration extractor	IPs: 190.115.18.139:8080
Source: Malware configuration extractor	IPs: 200.24.255.23:80
Source: Malware configuration extractor	IPs: 103.13.224.53:80
Source: Malware configuration extractor	IPs: 85.214.26.7:8080
Source: Malware configuration extractor	IPs: 190.24.243.186:80
Source: Malware configuration extractor	IPs: 87.106.46.107:8080
Source: Malware configuration extractor	IPs: 177.107.79.214:8080
Source: Malware configuration extractor	IPs: 12.163.208.58:80
Source: Malware configuration extractor	IPs: 187.162.250.23:443
Source: Malware configuration extractor	IPs: 109.101.137.162:8080
Source: Malware configuration extractor	IPs: 82.76.111.249:443
Source: Malware configuration extractor	IPs: 181.30.61.163:443
Source: Malware configuration extractor	IPs: 5.196.35.138:7080
Source: Malware configuration extractor	IPs: 51.15.7.145:80
Source: Malware configuration extractor	IPs: 192.198.91.138:443
Source: Malware configuration extractor	IPs: 188.157.101.114:80
Source: Malware configuration extractor	IPs: 189.2.177.210:443
Source: Malware configuration extractor	IPs: 181.123.6.86:80
Source: Malware configuration extractor	IPs: 109.190.35.249:80
Source: Malware configuration extractor	IPs: 45.16.226.117:443
Source: Malware configuration extractor	IPs: 190.190.219.184:80
Source: Malware configuration extractor	IPs: 104.131.41.185:8080
Source: Malware configuration extractor	IPs: 101.187.81.254:80
Source: Malware configuration extractor	IPs: 62.84.75.50:80
Source: Malware configuration extractor	IPs: 178.250.54.208:8080
Source: Malware configuration extractor	IPs: 201.71.228.86:80
Source: Malware configuration extractor	IPs: 190.92.122.226:80
Source: Malware configuration extractor	IPs: 138.97.60.140:8080

Source: unknown

Network traffic detected: IP country count 38

Source: global traffic	TCP traffic: 192.168.2.3:49732 -> 118.69.11.81:7080
Source: global traffic	TCP traffic: 192.168.2.3:49734 -> 70.39.251.94:8080
Source: global traffic	TCP traffic: 192.168.2.3:49743 -> 87.230.25.43:8080
Source: global traffic	TCP traffic: 192.168.2.3:49746 -> 94.23.62.116:8080
Source: global traffic	TCP traffic: 192.168.2.3:49747 -> 37.187.161.206:8080

Source: Joe Sandbox View	IP Address: 81.214.253.80 81.214.253.80
Source: Joe Sandbox View	IP Address: 94.176.234.118 94.176.234.118

Source: Joe Sandbox View	ASN Name: TTNETTR TTNETTR
Source: Joe Sandbox View	ASN Name: RACKRAYUABRakrejusLT RACKRAYUABRakrejusLT

Source: global traffic

TCP traffic: 192.168.2.3:49723 -> 190.202.229.74:80

Source: unknown	TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown	TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown	TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown	TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown	TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown	TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown	TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown	TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown	TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown	TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown	TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown	TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 37.187.161.206
Source: unknown	TCP traffic detected without corresponding DNS query: 37.187.161.206
Source: unknown	TCP traffic detected without corresponding DNS query: 37.187.161.206

Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp	String found in binary or memory: http://118.69.11.81:7080/cLGKs29k/
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp	String found in binary or memory: http://118.69.11.81:7080/cLGKs29k/$
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp	String found in binary or memory: http://118.69.11.81:7080/cLGKs29k/0
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000003.295761237.000000000232D000.00000004.00000001.sdmp	String found in binary or memory: http://190.202.229.74/u2xUhDP9gvOFSFief0/IRiW/IMV8TOoDabstev/
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000003.295761237.000000000232D000.00000004.00000001.sdmp	String found in binary or memory: http://190.202.229.74/u2xUhDP9gvOFSFief0/IRiW/IMV8TOoDabstev/N
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp	String found in binary or memory: http://37.187.161.206:8080/AJT6ih/yjZb/vgDNbB0LE6VNEd/
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp	String found in binary or memory: http://70.39.251.94:8080/blOro9t0iLZ/z7z
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp	String found in binary or memory: http://70.39.251.94:8080/blOro9t7
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471741562.0000000002314000.00000004.00000001.sdmp	String found in binary or memory: http://94.23.62.116:8080/TkDGGoG/EjmXKjEQOJnYdPvRd/
Source: svchost.exe, 00000008.00000002.473175094.0000025EF6612000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000008.00000002.473175094.0000025EF6612000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000008.00000002.473175094.0000025EF6612000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000008.00000002.471064115.0000025EF0EA8000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/
Source: svchost.exe, 00000008.00000002.471064115.0000025EF0EA8000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: svchost.exe, 00000008.00000002.471064115.0000025EF0EA8000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 00000008.00000002.472934812.0000025EF6490000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000E.00000002.309780751.000001EB87013000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000003.309511986.000001EB87049000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.309574519.000001EB87050000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000003.309526286.000001EB87040000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000E.00000003.309526286.000001EB87040000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.309526286.000001EB87040000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 0000000E.00000003.309511986.000001EB87049000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.309483788.000001EB87063000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.309511986.000001EB87049000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309780751.000001EB87013000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.309526286.000001EB87040000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000E.00000003.309574519.000001EB87050000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Source: KNEa2w7v3a.exe, 00000001.00000002.205452158.000000000069A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 4.2.wiaacmgr.exe.20c052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wiaacmgr.exe.2180000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KNEa2w7v3a.exe.223279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KNEa2w7v3a.exe.223052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KNEa2w7v3a.exe.223052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wiaacmgr.exe.20c052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.2210000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KNEa2w7v3a.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wiaacmgr.exe.20c279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wiaacmgr.exe.20c279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KNEa2w7v3a.exe.223279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.471191876.00000000020F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.206004453.0000000002641000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.210049440.0000000002181000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.205611516.0000000002294000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.471538485.0000000002211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.209938070.0000000002124000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.471462272.00000000021B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.205562844.0000000002230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.209835926.00000000020C0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe

Code function: 5_2_02212680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,

Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe

Code function: 4_2_021891E0 OpenSCManagerW,CloseServiceHandle,DeleteService,CloseServiceHandle,

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe

File created: C:\Windows\SysWOW64\rdvgogl32\

Jump to behavior

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe

File deleted: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02648330
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_026486F0
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02646860
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02647B30
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02643CE0
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02643EE0
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_026442C9
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_026441B7
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02644190
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02235E67
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02235A7E
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_0223A28E
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_022396CE
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02239ECE
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_022383FE
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_0223587E
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02235D2E
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02235D55
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_02188330
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_021886F0
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_02187B30
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_02186860
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_02184190
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_021841B7
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_021842C9
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_02183CE0
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_02183EE0
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_020C5E67
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_020C5A7E
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_020CA28E
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_020C96CE
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_020C9ECE
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_020C83FE
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_020C587E
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_020C5D2E
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_020C5D55
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_022186F0
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_02218330
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_02217B30
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_02216860
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_022141B7
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_02214190
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_02213CE0
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_02213EE0
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_022142C9
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_020F5E67
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_020F5A7E
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_020FA28E
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_020F96CE
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_020F9ECE
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_020F83FE
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_020F587E
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_020F5D2E
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_020F5D55

Source: KNEa2w7v3a.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: KNEa2w7v3a.exe, 00000001.00000002.206292457.0000000002A10000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs KNEa2w7v3a.exe
Source: KNEa2w7v3a.exe, 00000001.00000002.206292457.0000000002A10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs KNEa2w7v3a.exe
Source: KNEa2w7v3a.exe, 00000001.00000002.206154268.0000000002920000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs KNEa2w7v3a.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll

Source: KNEa2w7v3a.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: classification engine

Classification label: mal96.troj.evad.winEXE@21/11@0/100

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle,
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle,

Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe

Code function: 5_2_02214FD0 Process32NextW,Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,FindCloseChangeNotification,

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe

Code function: 1_2_02645390 ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:1396:120:WilError_01

Source: KNEa2w7v3a.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: KNEa2w7v3a.exe	Virustotal: Detection: 88%
Source: KNEa2w7v3a.exe	Metadefender: Detection: 48%
Source: KNEa2w7v3a.exe	ReversingLabs: Detection: 96%

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Users\user\Desktop\KNEa2w7v3a.exe 'C:\Users\user\Desktop\KNEa2w7v3a.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Process created: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Process created: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Process created: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Process created: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe

Code function: 1_2_00401600 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,EncryptFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,CreateWindowExA,ShowWindow,UpdateWindow,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,TranslateMessage,DispatchMessageA,GetMessageA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02646240 push ecx; mov dword ptr [esp], 00008F23h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02646140 push ecx; mov dword ptr [esp], 00004AF2h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02646320 push ecx; mov dword ptr [esp], 00009128h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02646220 push ecx; mov dword ptr [esp], 00004B50h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_026460F0 push ecx; mov dword ptr [esp], 0000A172h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_026462D0 push ecx; mov dword ptr [esp], 00001969h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_026461D0 push ecx; mov dword ptr [esp], 00004B56h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_026462A0 push ecx; mov dword ptr [esp], 0000BFAAh
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_026461B0 push ecx; mov dword ptr [esp], 000003A6h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02646180 push ecx; mov dword ptr [esp], 0000D106h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02646090 push ecx; mov dword ptr [esp], 0000BAD9h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02237E3E push ecx; mov dword ptr [esp], 0000BFAAh
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02237E6E push ecx; mov dword ptr [esp], 00001969h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02237EBE push ecx; mov dword ptr [esp], 00009128h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_0223FF7E push esp; retf
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_0224C7B2 push edi; iretd
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_0224ABBE push edi; iretd
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_022457F0 push eax; ret
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_022493C6 push ecx; retf
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02248FCA push ecx; retf
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02237C2E push ecx; mov dword ptr [esp], 0000BAD9h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02240404 push C9686868h; iretd
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02237C8E push ecx; mov dword ptr [esp], 0000A172h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02237CDE push ecx; mov dword ptr [esp], 00004AF2h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02237D1E push ecx; mov dword ptr [esp], 0000D106h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02237D6E push ecx; mov dword ptr [esp], 00004B56h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02237D4E push ecx; mov dword ptr [esp], 000003A6h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02237DBE push ecx; mov dword ptr [esp], 00004B50h
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02237DDE push ecx; mov dword ptr [esp], 00008F23h
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_02186320 push ecx; mov dword ptr [esp], 00009128h
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_02186220 push ecx; mov dword ptr [esp], 00004B50h

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Executable created and started: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Executable created and started: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe

PE file moved: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	File opened: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	File opened: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe:Zone.Identifier read attributes \| delete

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Show sources

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,

Source: C:\Windows\System32\svchost.exe TID: 5324

Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02643A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_02183A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_02213A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,

Source: svchost.exe, 00000000.00000002.213106663.0000020957140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.267287663.000002BEE2540000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.281179657.000001B9D22C0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.471621326.0000011E04D40000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000008.00000002.473254655.0000025EF6662000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.470791785.0000014583002000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.473241462.0000025EF6655000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000000.00000002.213106663.0000020957140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.267287663.000002BEE2540000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.281179657.000001B9D22C0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.471621326.0000011E04D40000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000000.00000002.213106663.0000020957140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.267287663.000002BEE2540000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.281179657.000001B9D22C0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.471621326.0000011E04D40000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471741562.0000000002314000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.470876694.0000014583029000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.470969487.0000023C4462A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000000.00000002.213106663.0000020957140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.267287663.000002BEE2540000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.281179657.000001B9D22C0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.471621326.0000011E04D40000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02645140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02644190 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02230456 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02236CDE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02235D2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_0223095E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe	Code function: 1_2_02291030 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_02185140 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_02184190 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_020C0456 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_020C6CDE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_020C5D2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_020C095E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe	Code function: 4_2_02121030 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_02215140 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_02214190 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_020F0456 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_020F6CDE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_020F5D2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_020F095E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Code function: 5_2_021B1030 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\KNEa2w7v3a.exe

Code function: 1_2_02291030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.470961494.0000000000CE0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.471126263.0000027F89190000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.470961494.0000000000CE0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.471126263.0000027F89190000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.470961494.0000000000CE0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.471126263.0000027F89190000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.470961494.0000000000CE0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.471126263.0000027F89190000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe

Code function: 5_2_02215720 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,

Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 00000010.00000002.470365857.000001F9AEA3D000.00000004.00000001.sdmp	Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 00000010.00000002.470546623.000001F9AEB02000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 4.2.wiaacmgr.exe.20c052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wiaacmgr.exe.2180000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KNEa2w7v3a.exe.223279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KNEa2w7v3a.exe.223052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KNEa2w7v3a.exe.223052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wiaacmgr.exe.20c052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.2210000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KNEa2w7v3a.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wiaacmgr.exe.20c279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wiaacmgr.exe.20c279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KNEa2w7v3a.exe.223279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.471191876.00000000020F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.206004453.0000000002641000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.210049440.0000000002181000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.205611516.0000000002294000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.471538485.0000000002211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.209938070.0000000002124000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.471462272.00000000021B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.205562844.0000000002230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.209835926.00000000020C0000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Windows Service12	Windows Service12	Masquerading121	Input Capture1	Security Software Discovery41	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Service Execution11	DLL Side-Loading1	Process Injection2	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API11	Logon Script (Windows)	DLL Side-Loading1	Virtualization/Sandbox Evasion2	Security Account Manager	Process Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection2	NTDS	System Service Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	System Information Discovery24	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
KNEa2w7v3a.exe	89%	Virustotal		Browse
KNEa2w7v3a.exe	57%	Metadefender		Browse
KNEa2w7v3a.exe	96%	ReversingLabs	Win32.Trojan.EmotetCrypt
KNEa2w7v3a.exe	100%	Avira	TR/Injector.tthlz
KNEa2w7v3a.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.2.Windows.Media.Playback.MediaPlayer.exe.20f052e.1.unpack	100%	Avira	HEUR/AGEN.1110377	Download File
4.2.wiaacmgr.exe.2180000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.0.wiaacmgr.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139844	Download File
1.2.KNEa2w7v3a.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139844	Download File
1.0.KNEa2w7v3a.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139844	Download File
4.2.wiaacmgr.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139844	Download File
1.2.KNEa2w7v3a.exe.223052e.2.unpack	100%	Avira	HEUR/AGEN.1110377	Download File
1.2.KNEa2w7v3a.exe.223279e.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.Windows.Media.Playback.MediaPlayer.exe.20f279e.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.wiaacmgr.exe.20c052e.1.unpack	100%	Avira	HEUR/AGEN.1110377	Download File
5.2.Windows.Media.Playback.MediaPlayer.exe.2210000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.Windows.Media.Playback.MediaPlayer.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139844	Download File
1.2.KNEa2w7v3a.exe.2640000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.Windows.Media.Playback.MediaPlayer.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139844	Download File
4.2.wiaacmgr.exe.20c279e.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://37.187.161.206:8080/AJT6ih/yjZb/vgDNbB0LE6VNEd/	0%	Avira URL Cloud	safe
http://190.202.229.74/u2xUhDP9gvOFSFief0/IRiW/IMV8TOoDabstev/N	0%	Avira URL Cloud	safe
http://118.69.11.81:7080/cLGKs29k/	0%	Avira URL Cloud	safe
http://70.39.251.94:8080/blOro9t0iLZ/z7z	0%	Avira URL Cloud	safe
http://118.69.11.81:7080/cLGKs29k/$	0%	Avira URL Cloud	safe
http://118.69.11.81:7080/cLGKs29k/0	0%	Avira URL Cloud	safe
http://190.202.229.74/u2xUhDP9gvOFSFief0/IRiW/IMV8TOoDabstev/	0%	Avira URL Cloud	safe
http://94.23.62.116:8080/TkDGGoG/EjmXKjEQOJnYdPvRd/	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
http://70.39.251.94:8080/blOro9t7	0%	Avira URL Cloud	safe
https://dynamic.t	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://37.187.161.206:8080/AJT6ih/yjZb/vgDNbB0LE6VNEd/	Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/	svchost.exe, 00000008.00000002.471064115.0000025EF0EA8000.00000004.00000001.sdmp	false		high
http://190.202.229.74/u2xUhDP9gvOFSFief0/IRiW/IMV8TOoDabstev/N	Windows.Media.Playback.MediaPlayer.exe, 00000005.00000003.295761237.000000000232D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000E.00000003.309574519.000001EB87050000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000E.00000003.309526286.000001EB87040000.00000004.00000001.sdmp	false		high
http://118.69.11.81:7080/cLGKs29k/	Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000E.00000003.309511986.000001EB87049000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=	svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000E.00000003.309526286.000001EB87040000.00000004.00000001.sdmp	false		high
http://70.39.251.94:8080/blOro9t0iLZ/z7z	Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://118.69.11.81:7080/cLGKs29k/$	Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000E.00000002.309780751.000001EB87013000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmp	false		high
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000E.00000003.309526286.000001EB87040000.00000004.00000001.sdmp	false		high
http://118.69.11.81:7080/cLGKs29k/0	Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	svchost.exe, 00000008.00000002.471064115.0000025EF0EA8000.00000004.00000001.sdmp	false		high
http://190.202.229.74/u2xUhDP9gvOFSFief0/IRiW/IMV8TOoDabstev/	Windows.Media.Playback.MediaPlayer.exe, 00000005.00000003.295761237.000000000232D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp	false		high
http://94.23.62.116:8080/TkDGGoG/EjmXKjEQOJnYdPvRd/	Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471741562.0000000002314000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000E.00000003.309526286.000001EB87040000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309780751.000001EB87013000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000E.00000003.309574519.000001EB87050000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	false		high
http://70.39.251.94:8080/blOro9t7	Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	svchost.exe, 00000008.00000002.472934812.0000025EF6490000.00000002.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	svchost.exe, 00000008.00000002.471064115.0000025EF0EA8000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000E.00000003.309483788.000001EB87063000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.309511986.000001EB87049000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmp	false		high
https://activity.windows.com	svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000E.00000003.309511986.000001EB87049000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
81.214.253.80	unknown	Turkey	9121	TTNETTR	true
94.176.234.118	unknown	Lithuania	62282	RACKRAYUABRakrejusLT	true
78.206.229.130	unknown	France	12322	PROXADFR	true
181.58.181.9	unknown	Colombia	10620	TelmexColombiaSACO	true
213.197.182.158	unknown	Lithuania	15440	BALTNETACustomersASLT	true
103.13.224.53	unknown	Bangladesh	58672	MAXNETONLINE-BDMaxnetOnlineBD	true
209.236.123.42	unknown	United States	393398	ASN-DISUS	true
79.118.74.90	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	true
51.15.7.145	unknown	France	12876	OnlineSASFR	true
190.45.24.210	unknown	Chile	22047	VTRBANDAANCHASACL	true
5.196.35.138	unknown	France	16276	OVHFR	true
190.190.219.184	unknown	Argentina	10481	TelecomArgentinaSAAR	true
200.59.6.174	unknown	Argentina	12150	COTELCAMAR	true
181.129.96.162	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
50.28.51.143	unknown	United States	32244	LIQUIDWEBUS	true
189.34.181.88	unknown	Brazil	28573	CLAROSABR	true
149.202.72.142	unknown	France	16276	OVHFR	true
82.76.52.155	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	true
5.89.33.136	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
45.16.226.117	unknown	United States	7018	ATT-INTERNET4US	true
120.72.18.91	unknown	Philippines	38553	DCTECHDVO-AS-APInternetServiceProviderandDataCenterP	true
187.162.250.23	unknown	Mexico	6503	AxtelSABdeCVMX	true
12.163.208.58	unknown	United States	7018	ATT-INTERNET4US	true
101.187.81.254	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
177.107.79.214	unknown	Brazil	52862	RedenilfServicosdeTelecomunicacoesLtdaBR	true
202.134.4.210	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
190.64.88.186	unknown	Uruguay	6057	AdministracionNacionaldeTelecomunicacionesUY	true
68.183.170.114	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
168.197.45.36	unknown	Argentina	264781	VIDEOTELSRLAR	true
1.226.84.243	unknown	Korea Republic of	9277	SKB-T-AS-KRSKBroadbandCoLtdKR	true
24.135.69.146	unknown	Serbia	31042	SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemreze	true
137.74.106.111	unknown	France	16276	OVHFR	true
172.104.169.32	unknown	United States	63949	LINODE-APLinodeLLCUS	true
178.250.54.208	unknown	United Kingdom	20860	IOMART-ASGB	true
45.33.77.42	unknown	United States	63949	LINODE-APLinodeLLCUS	true
46.101.58.37	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
177.23.7.151	unknown	Brazil	262886	LansofNetLTDAMEBR	true
216.47.196.104	unknown	United States	12083	WOW-INTERNETUS	true
83.169.21.32	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
109.190.35.249	unknown	France	35540	OVH-TELECOMFR	true
172.86.186.21	unknown	Canada	32489	AMANAHA-NEWCA	true
70.32.115.157	unknown	United States	31815	MEDIATEMPLEUS	true
186.189.249.2	unknown	Argentina	16814	NSSSAAR	true
109.101.137.162	unknown	Romania	9050	RTDBucharestRomaniaRO	true
190.115.18.139	unknown	Belize	262254	DDOS-GUARDCORPBZ	true
189.223.16.99	unknown	Mexico	8151	UninetSAdeCVMX	true
201.49.239.200	unknown	Brazil	52532	SpeednetTelecomunicacoesLtdaMEBR	true
185.94.252.27	unknown	Germany	197890	MEGASERVERS-DE	true
178.211.45.66	unknown	Turkey	197328	INETLTDTR	true
169.1.39.242	unknown	South Africa	37611	AfrihostZA	true
188.135.15.49	unknown	Oman	50010	NAWRAS-ASSultanateofOmanOM	true
60.249.78.226	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	true
181.123.6.86	unknown	Paraguay	23201	TelecelSAPY	true
193.251.77.110	unknown	France	3215	FranceTelecom-OrangeFR	true
192.241.143.52	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
128.92.203.42	unknown	United States	20115	CHARTER-20115US	true
81.215.230.173	unknown	Turkey	9121	TTNETTR	true
111.67.12.221	unknown	Australia	55803	DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU	true
46.105.114.137	unknown	France	16276	OVHFR	true
192.232.229.54	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
191.182.6.118	unknown	Brazil	28573	CLAROSABR	true
200.24.255.23	unknown	Argentina	52381	SociedadCooperativaPopularLimitadadeComodoroAR	true
177.73.0.98	unknown	Brazil	53184	INBTelecomEIRELIBR	true
70.32.84.74	unknown	United States	398110	GO-DADDY-COM-LLCUS	true
12.162.84.2	unknown	United States	7018	ATT-INTERNET4US	true
181.61.182.143	unknown	Colombia	10620	TelmexColombiaSACO	true
170.81.48.2	unknown	Brazil	263634	TACNETTELECOMBR	true
181.120.29.49	unknown	Paraguay	23201	TelecelSAPY	true
219.92.13.25	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	true
98.103.204.12	unknown	United States	10796	TWC-10796-MIDWESTUS	true
190.101.156.139	unknown	Chile	22047	VTRBANDAANCHASACL	true
2.45.176.233	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
187.162.248.237	unknown	Mexico	6503	AxtelSABdeCVMX	true
186.193.229.123	unknown	Brazil	262731	CTINETSOLUCOESEMCONECTIVIDADEEINFORMATICALTDBR	true
189.2.177.210	unknown	Brazil	4230	CLAROSABR	true
37.183.81.217	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
179.222.115.170	unknown	Brazil	28573	CLAROSABR	true
37.179.145.105	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
118.69.11.81	unknown	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	true
68.183.190.199	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
183.176.82.231	unknown	Japan	7522	STCNSTNetIncorporatedJP	true
177.144.130.105	unknown	Brazil	27699	TELEFONICABRASILSABR	true
181.30.61.163	unknown	Argentina	10318	TelecomArgentinaSAAR	true
190.202.229.74	unknown	Venezuela	8048	CANTVServiciosVenezuelaVE	true
82.76.111.249	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	true
77.238.212.227	unknown	Bosnia and Herzegowina	42560	BA-TELEMACH-ASTelemachdooSarajevoBA	true
217.13.106.14	unknown	Hungary	12301	INVITECHHU	true
77.78.196.173	unknown	Bosnia and Herzegowina	42560	BA-TELEMACH-ASTelemachdooSarajevoBA	true
62.84.75.50	unknown	Lebanon	42334	BBP-ASLB	true
37.187.161.206	unknown	France	16276	OVHFR	true
201.213.177.139	unknown	Argentina	10481	TelecomArgentinaSAAR	true
188.251.213.180	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
109.242.153.9	unknown	Greece	25472	WIND-ASGR	true
85.214.26.7	unknown	Germany	6724	STRATOSTRATOAGDE	true
51.75.33.127	unknown	France	16276	OVHFR	true
188.157.101.114	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	true
46.43.2.95	unknown	United Kingdom	35425	BYTEMARK-ASGB	true
59.148.253.194	unknown	Hong Kong	9269	HKBN-AS-APHongKongBroadbandNetworkLtdHK	true
74.58.215.226	unknown	Canada	5769	VIDEOTRONCA	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	463770
Start date:	12.08.2021
Start time:	03:55:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 29s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	KNEa2w7v3a.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@21/11@0/100
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 19.7% (good quality ratio 19.2%) Quality average: 72.3% Quality standard deviation: 23%
HCA Information:	Successful, ratio: 96% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 20.189.173.20, 13.89.179.12, 20.190.159.136, 40.126.31.4, 40.126.31.8, 40.126.31.135, 20.190.159.138, 40.126.31.1, 20.190.159.132, 40.126.31.6, 20.82.210.154, 23.211.4.86, 40.112.88.60, 173.222.108.210, 173.222.108.226, 80.67.82.211, 80.67.82.235 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, login.live.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, ris-prod.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, a767.dscg3.akamai.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:56:25	API Interceptor	1x Sleep call for process: KNEa2w7v3a.exe modified
03:56:51	API Interceptor	2x Sleep call for process: svchost.exe modified
03:58:07	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
81.214.253.80	http://buybywe.com/roundcube/installer/eaZ/	Get hash	malicious	Browse	81.214.253.80:443/BdD9uZ0nJukeWE
94.176.234.118	mormanti.exe	Get hash	malicious	Browse
	Io8ic2291n.doc	Get hash	malicious	Browse
	SpEQvgtnaR.exe	Get hash	malicious	Browse
	gPEkWaJGIA.exe	Get hash	malicious	Browse
	aXwo8YyqNu.exe	Get hash	malicious	Browse
	aof712Ufpl.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RACKRAYUABRakrejusLT	PHvqpLRfRl.exe	Get hash	malicious	Browse	79.98.24.39
	VESSEL BOOKING DETAILS_pdf.exe	Get hash	malicious	Browse	194.135.89.35
	B6i30pLa8e.exe	Get hash	malicious	Browse	79.98.28.25
	Y7S49aaObc	Get hash	malicious	Browse	80.209.224.126
	CTM ARRANGEMENT.exe	Get hash	malicious	Browse	176.223.131.225
	vMd5gb1HEJ.exe	Get hash	malicious	Browse	80.209.229.141
	vMAjf3xZSp.exe	Get hash	malicious	Browse	80.209.229.141
	BANGKOK REG. SHIPMENT SUPPLY CIF BANGKOK 19-21 FULL DETAILS.exe	Get hash	malicious	Browse	194.135.89.35
	mormanti.exe	Get hash	malicious	Browse	94.176.234.118
	f3ZU8AhKs3.exe	Get hash	malicious	Browse	185.69.55.138
	f2c8546e61ac6f18f9d739a31134c3d47612059d16201.exe	Get hash	malicious	Browse	185.69.55.138
	HGIUF7881Q.exe	Get hash	malicious	Browse	195.181.246.217
	NWMEaRqF7s.exe	Get hash	malicious	Browse	79.98.24.39
	uNh5bTbDTa.dll	Get hash	malicious	Browse	194.135.90.221
	uNh5bTbDTa.dll	Get hash	malicious	Browse	194.135.90.221
	551f47ac_by_Libranalysis.xlsm	Get hash	malicious	Browse	80.209.231.56
	scan of invoice 4366307.xlsm	Get hash	malicious	Browse	94.176.239.4
	kHisp6Vo3M.exe	Get hash	malicious	Browse	94.176.235.200
	sk4imVdVck.exe	Get hash	malicious	Browse	80.209.227.207
	document-1625724940.xls	Get hash	malicious	Browse	194.135.87.87
TTNETTR	PHvqpLRfRl.exe	Get hash	malicious	Browse	78.187.156.31
	IA37ji8jpa	Get hash	malicious	Browse	85.97.99.130
	FD6qpyHOPI	Get hash	malicious	Browse	88.255.23.140
	Vjeta9CbXg	Get hash	malicious	Browse	95.5.58.149
	fEbFnRr00C	Get hash	malicious	Browse	88.241.107.42
	WDNwpnLC6z	Get hash	malicious	Browse	95.7.215.146
	AtzpbZmOwo	Get hash	malicious	Browse	95.6.137.32
	BuJw0YL8x3	Get hash	malicious	Browse	78.178.77.162
	g5bwzqegn4	Get hash	malicious	Browse	78.173.228.99
	8kNgpvKpMy	Get hash	malicious	Browse	85.102.2.135
	Ck4BThYsDw	Get hash	malicious	Browse	78.172.216.112
	6K8zK2czTn	Get hash	malicious	Browse	88.241.107.11
	1pXwIJR8QV	Get hash	malicious	Browse	88.241.107.47
	g9ikwKsuYy	Get hash	malicious	Browse	85.100.28.146
	X7AvBM4NoO	Get hash	malicious	Browse	88.225.138.222
	LDit8hIL8X	Get hash	malicious	Browse	88.225.186.130
	W9xJReKzmM	Get hash	malicious	Browse	88.248.29.152
	d5reZjGi2R	Get hash	malicious	Browse	95.15.253.243
	SUsQqSw8ip	Get hash	malicious	Browse	78.171.186.142
	OzW9U3k1r8	Get hash	malicious	Browse	85.111.21.252

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5950547304132587
Encrypted:	false
SSDEEP:	6:0FAk1GaD0JOCEfMuaaD0JOCEfMKQmDSaAl/gz2cE0fMbhEZolrRSQ2hyYIIT:0dGaD0JcaaD0JwQQVAg/0bjSQJ
MD5:	490A11F6420837D2E87F8185228C726D
SHA1:	C78B86CB11BB57114226DA2FFDA9E083ABD728E2
SHA-256:	6514574D48DEF3BFF8177A73989E405AD1EDC311789D420D51C19E2841E8A957
SHA-512:	0A45D25737AF68111E2B15884CAD1B45624E18720A01173003A4054D75B091059DCC8BA306629B59BC4B6927F8D456DB3127A6CF681FE7420B0FEE68267C9160
Malicious:	false
Preview:	......:{..(.....38...yk.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................38...yk...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x8e2b3c28, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09522289101320726
Encrypted:	false
SSDEEP:	6:9zwl/+BJU1RIE11Y8TRXgtKkgKrzwl/+BJU1RIE11Y8TRXgtKkgK:90+o1O4blgQKr0+o1O4blgQK
MD5:	A4C977A7F24C1AB389C72156AC986F21
SHA1:	397A2D13ADE410D75728275C573C9E45157E6535
SHA-256:	E9F4D57C9D0DB6FEE012B95526FAA073B8618EF459F24911B40CD8142A6CAFC1
SHA-512:	E7C6B78AFA26F838FBF60D5B98BF4EFD34D939FEE5090F0F9A05D43A022E70381620E09C47D41D155F9878880D96AE3344896EAAF40DE3CFD9D1398C72C56052
Malicious:	false
Preview:	.+<(... ................e.f.3...w........................&..........w..38...yk.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................Hw9]38...ykk.................x.38...yk.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.10964890742971496
Encrypted:	false
SSDEEP:	3:r/9EvWdrcOiXl/bJdAtidgkr4ll:jYWmt4zkk
MD5:	E0E174397C67D567B5BB17EEE0892828
SHA1:	987912F8C0B37599354237E04905E30E813FA51A
SHA-256:	0D1429DA6459A51D057AB53F2563E485D8CB3E3FF6298ED7E82656E0A5E945FA
SHA-512:	D6C57AF3A2194788A666E48DA8672607B822C8BCCCA5F589055DEAA6ABB80E6C05182CE79EE70B40F98DC32AF87385B0E6615A3C5029A074AF6E61440310B334
Malicious:	false
Preview:	.........................................3...w..38...yk......w...............w.......w....:O.....w...................x.38...yk.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.1102443467453243
Encrypted:	false
SSDEEP:	12:26tXm/Ey6q9995gqwqq3qQ10nMCldimE8eawHjc1j:26Ql689wvLyMCldzE9BHjcV
MD5:	F1F2B3B98C309A9C7AEED5C63CC27753
SHA1:	10BFF7C59B16CA2A5B174C1AB90EA41294EEC545
SHA-256:	FF8F6DC09FB829F5F45675694F3D025AD3BC96F8327EA318A1AE4011A3A7FA1A
SHA-512:	7A63682FFAA6491F3FEAF6F5453E19C29F78F4847B86774BA2C9C9EB09AECE3CC3D91D17B5EB81365550D8351E167A0D2DAF6846F4540265C0256BB07FCBA471
Malicious:	false
Preview:	.........................................................................................3IG.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................:.+..... .........h...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P..........;IG....................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11276116723419126
Encrypted:	false
SSDEEP:	12:7SXm/Ey6q9995gUw1miM3qQ10nMCldimE8eawHza1miIJ:7nl68Pw1tMLyMCldzE9BHza1tIJ
MD5:	7ECF910E58D4B2A19B00926EC0D8C0BC
SHA1:	73A25F141B7DF3A22C96C3F20ACC10D6B6B7C281
SHA-256:	D297005815D6DFAF08F1E6C981856AB8D54D62661534D259D5861EDFA6CBFF14
SHA-512:	FF407A00838E6463E85D77110FF88D79EC4D73DD3D983D6AFB2C41EE5DA39E1BEA189D05F8A9A0F9CAE8EA966532493B8A352B25521ABA0320F33E8CA6F60299
Malicious:	false
Preview:	.........................................................................................+HG.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................:.+..... .........h...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P..........2HG....................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11256817544552042
Encrypted:	false
SSDEEP:	12:qXm/Ey6q9995gTg1mK2P3qQ10nMCldimE8eawHza1mKC:fl6891iPLyMCldzE9BHza1O
MD5:	6CB8594E9DD2938F617B9F143E790C81
SHA1:	CAB0B6F2B5554E9E3936C8FCA55EA165B921C974
SHA-256:	52C643C00A07BC1083EFA7B84BD8D3A54226A877BCA6D390E0EC9756A5F867CC
SHA-512:	2E70CB23A8FA6B34705FC08FC27A9AF67FD59CD9BA75E86955F6A2D0A74576EF9B4A06D199947FD79A863205EACDCD127195CAB98B404E1A79BA15235ABE30DC
Malicious:	false
Preview:	........................................................................................<.GG.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................:.+..... .........h...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P...........GG....................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001YS (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.1102443467453243
Encrypted:	false
SSDEEP:	12:26tXm/Ey6q9995gqwqq3qQ10nMCldimE8eawHjc1j:26Ql689wvLyMCldzE9BHjcV
MD5:	F1F2B3B98C309A9C7AEED5C63CC27753
SHA1:	10BFF7C59B16CA2A5B174C1AB90EA41294EEC545
SHA-256:	FF8F6DC09FB829F5F45675694F3D025AD3BC96F8327EA318A1AE4011A3A7FA1A
SHA-512:	7A63682FFAA6491F3FEAF6F5453E19C29F78F4847B86774BA2C9C9EB09AECE3CC3D91D17B5EB81365550D8351E167A0D2DAF6846F4540265C0256BB07FCBA471
Malicious:	false
Preview:	.........................................................................................3IG.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................:.+..... .........h...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P..........;IG....................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11276116723419126
Encrypted:	false
SSDEEP:	12:7SXm/Ey6q9995gUw1miM3qQ10nMCldimE8eawHza1miIJ:7nl68Pw1tMLyMCldzE9BHza1tIJ
MD5:	7ECF910E58D4B2A19B00926EC0D8C0BC
SHA1:	73A25F141B7DF3A22C96C3F20ACC10D6B6B7C281
SHA-256:	D297005815D6DFAF08F1E6C981856AB8D54D62661534D259D5861EDFA6CBFF14
SHA-512:	FF407A00838E6463E85D77110FF88D79EC4D73DD3D983D6AFB2C41EE5DA39E1BEA189D05F8A9A0F9CAE8EA966532493B8A352B25521ABA0320F33E8CA6F60299
Malicious:	false
Preview:	.........................................................................................+HG.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................:.+..... .........h...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P..........2HG....................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001.. (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11256817544552042
Encrypted:	false
SSDEEP:	12:qXm/Ey6q9995gTg1mK2P3qQ10nMCldimE8eawHza1mKC:fl6891iPLyMCldzE9BHza1O
MD5:	6CB8594E9DD2938F617B9F143E790C81
SHA1:	CAB0B6F2B5554E9E3936C8FCA55EA165B921C974
SHA-256:	52C643C00A07BC1083EFA7B84BD8D3A54226A877BCA6D390E0EC9756A5F867CC
SHA-512:	2E70CB23A8FA6B34705FC08FC27A9AF67FD59CD9BA75E86955F6A2D0A74576EF9B4A06D199947FD79A863205EACDCD127195CAB98B404E1A79BA15235ABE30DC
Malicious:	false
Preview:	........................................................................................<.GG.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................:.+..... .........h...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P...........GG....................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.161934255091551
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3rbGsowZk9+MlWlLehB4yAq7ejCAGsoQI:OaqdmuF3r1W+kWReH4yJ7Mtw
MD5:	0A941541A681D7B2DC86079497BF7710
SHA1:	F568FA936B273843D8FD811742AA4308EE3CCA1D
SHA-256:	C2EFDEA8AB56E3C156482DDA7800D0DC4077F0592BE999D269B800B1A0AD21BB
SHA-512:	31614F8B523B7FF06526BE6951F78D17053A5B40E9219E1ED066B9261ED624F6DE23ADAD092F9CC14EB40FC48EA2EBF3751A8635722B4DBF0CC91F07298C579A
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. A.u.g. .. 1.2. .. 2.0.2.1. .0.3.:.5.8.:.0.7.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. A.u.g. .. 1.2. .. 2.0.2.1. .0.3.:.5.8.:.0.7.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.960837149454534
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	KNEa2w7v3a.exe
File size:	479232
MD5:	f8adcf71a8c4e5c16d11308dff998ece
SHA1:	2246c5925aca1446078a4cacbafeda7076eb050a
SHA256:	5303823581f2696ae62f21e42a8b0c4d446d2fa9f820e0f04a15992d6a59c59b
SHA512:	9e997a0edfbc49bf554e708825128ab43ab292481d7d6d8d8a561fbc8270f2291dd5d577336c1262407b44b9a0f19b1dd4bb3d6ac2f7f61d0a3aa4ec9137d06c
SSDEEP:	6144:be079Bvns6+dSEDVoOhjfbJ0r0dZQ4XYo8Zv/J5QnEZgHmjihGXL/578RdBg9:bT9Z1/2GOxfbQCBURzQ4ga6U8Re
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sf!.7.O.7.O.7.O...E.<.O...A.6.O...K.3.O.U.\.3.O.#lN.4.O.7.N...O...D.4.O...I.6.O.Rich7.O.........PE..L......_.................0.

File Icon


Icon Hash:	3236323434089341

Static PE Info

General
Entrypoint:	0x4020ea
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5F9B1381 [Thu Oct 29 19:09:53 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	50f8a2255c4baf188eb0098c86160f78

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00404000h
push 004022A0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
sub ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0040632Ch]
pop ecx
or dword ptr [004059C4h], FFFFFFFFh
or dword ptr [004059D4h], FFFFFFFFh
call dword ptr [00406330h]
mov ecx, dword ptr [004059B4h]
mov dword ptr [eax], ecx
call dword ptr [00406334h]
mov ecx, dword ptr [004059B0h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00406340h]
mov eax, dword ptr [eax]
mov dword ptr [004059B8h], eax
call 00007F1A98EBBCC3h
cmp dword ptr [00405844h], ebx
jne 00007F1A98EBBB9Eh
push 00402284h
call dword ptr [00406360h]
pop ecx
call 00007F1A98EBBC8Fh
push 00405418h
push 00405314h
call 00007F1A98EBBC7Ah
mov eax, dword ptr [004059ACh]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [004059A8h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00406358h]
push 00405210h
push 00405000h
call 00007F1A98EBBC47h

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[C++] VS98 (6.0) build 8168
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6000	0x78	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7000	0x6c0f3	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x74000	0x218	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x624c	0x1d4	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23bb	0x3000	False	0.187174479167	data	3.24884109022	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x4000	0x10e	0x1000	False	0.009521484375	data	0.0298850891201	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5000	0x9d8	0x1000	False	0.130859375	data	1.50052137767	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x6000	0xab8	0x1000	False	0.227294921875	data	2.93333151284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x7000	0x6c0f3	0x6d000	False	0.806232977351	data	7.16230757272	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x74000	0x77d	0x1000	False	0.130615234375	data	1.32281451006	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x72e0	0x2e8	data	English	United States
RT_ICON	0x75c8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x76f0	0xea8	data	English	United States
RT_DIALOG	0x60f00	0x16a	data	English	United States
RT_RCDATA	0x85c8	0x58933	data	English	United States
RT_GROUP_ICON	0x8598	0x30	data	English	United States

Imports

DLL	Import
KERNEL32.dll	LoadLibraryA, GetModuleHandleA, GetStartupInfoA, GetProcAddress, GetModuleHandleExA, VirtualAlloc
USER32.dll	SetDlgItemTextA, DestroyWindow, DispatchMessageA, GetDlgItemTextA, SetWindowTextA, FindWindowA, PostQuitMessage, GetSystemMenu, AppendMenuA, DefWindowProcA, LoadIconA, LoadCursorA, RegisterClassA, CreateWindowExA, ShowWindow, UpdateWindow, GetMessageA, DialogBoxParamA, TranslateMessage
GDI32.dll	GetStockObject
MSVCRT.dll	exit, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, malloc, ??3@YAXPAX@Z, _adjust_fdiv, _onexit, _exit, _XcptFilter, __dllonexit, _acmdln, __getmainargs, _initterm, __setusermatherr
MSVCP60.dll	?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z, ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z, ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z, ??0Init@ios_base@std@@QAE@XZ, ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z, ??1_Winit@std@@QAE@XZ, ??0_Winit@std@@QAE@XZ, ??1Init@ios_base@std@@QAE@XZ

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 12, 2021 03:56:44.763108015 CEST	49723	80	192.168.2.3	190.202.229.74
Aug 12, 2021 03:56:47.770731926 CEST	49723	80	192.168.2.3	190.202.229.74
Aug 12, 2021 03:56:53.771222115 CEST	49723	80	192.168.2.3	190.202.229.74
Aug 12, 2021 03:57:09.879889965 CEST	49732	7080	192.168.2.3	118.69.11.81
Aug 12, 2021 03:57:10.169648886 CEST	7080	49732	118.69.11.81	192.168.2.3
Aug 12, 2021 03:57:10.679141998 CEST	49732	7080	192.168.2.3	118.69.11.81
Aug 12, 2021 03:57:10.971328974 CEST	7080	49732	118.69.11.81	192.168.2.3
Aug 12, 2021 03:57:11.475862980 CEST	49732	7080	192.168.2.3	118.69.11.81
Aug 12, 2021 03:57:11.766032934 CEST	7080	49732	118.69.11.81	192.168.2.3
Aug 12, 2021 03:57:15.716682911 CEST	49734	8080	192.168.2.3	70.39.251.94
Aug 12, 2021 03:57:18.726491928 CEST	49734	8080	192.168.2.3	70.39.251.94
Aug 12, 2021 03:57:24.742553949 CEST	49734	8080	192.168.2.3	70.39.251.94
Aug 12, 2021 03:57:39.502053022 CEST	49743	8080	192.168.2.3	87.230.25.43
Aug 12, 2021 03:57:42.494224072 CEST	49743	8080	192.168.2.3	87.230.25.43
Aug 12, 2021 03:57:48.510287046 CEST	49743	8080	192.168.2.3	87.230.25.43
Aug 12, 2021 03:58:03.256244898 CEST	49746	8080	192.168.2.3	94.23.62.116
Aug 12, 2021 03:58:06.261801958 CEST	49746	8080	192.168.2.3	94.23.62.116
Aug 12, 2021 03:58:12.262634039 CEST	49746	8080	192.168.2.3	94.23.62.116
Aug 12, 2021 03:58:26.576965094 CEST	49747	8080	192.168.2.3	37.187.161.206
Aug 12, 2021 03:58:29.591875076 CEST	49747	8080	192.168.2.3	37.187.161.206
Aug 12, 2021 03:58:35.593087912 CEST	49747	8080	192.168.2.3	37.187.161.206

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 12, 2021 03:56:18.351986885 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:18.385015965 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:19.360238075 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:19.395855904 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:20.394551039 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:20.431025982 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:21.398260117 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:21.423414946 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:22.782027960 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:22.808847904 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:23.883279085 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:23.910010099 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:24.951705933 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:24.987838984 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:26.463476896 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:26.491292000 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:27.663244963 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:27.697756052 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:28.618458986 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:28.647265911 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:29.593436003 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:29.618381023 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:30.419151068 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:30.445604086 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:31.228681087 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:31.262768030 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:32.431837082 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:32.466243029 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:33.249408960 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:33.283092976 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:34.056021929 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:34.093295097 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:35.100332975 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:35.126013041 CEST	53	50540	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:48.904486895 CEST	54366	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:48.937880039 CEST	53	54366	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:49.363924980 CEST	53034	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:49.409450054 CEST	53	53034	8.8.8.8	192.168.2.3
Aug 12, 2021 03:56:54.969935894 CEST	57762	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:56:55.018460989 CEST	53	57762	8.8.8.8	192.168.2.3
Aug 12, 2021 03:57:05.597079039 CEST	55435	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:57:05.641807079 CEST	53	55435	8.8.8.8	192.168.2.3
Aug 12, 2021 03:57:12.833345890 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:57:12.867705107 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 12, 2021 03:57:23.603380919 CEST	56132	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:57:23.645678043 CEST	53	56132	8.8.8.8	192.168.2.3
Aug 12, 2021 03:57:26.713462114 CEST	58987	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:57:26.748547077 CEST	53	58987	8.8.8.8	192.168.2.3
Aug 12, 2021 03:57:58.804032087 CEST	56579	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:57:58.840044975 CEST	53	56579	8.8.8.8	192.168.2.3
Aug 12, 2021 03:58:00.045970917 CEST	60633	53	192.168.2.3	8.8.8.8
Aug 12, 2021 03:58:00.089133024 CEST	53	60633	8.8.8.8	192.168.2.3

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 12, 2021 03:56:48.937880039 CEST	8.8.8.8	192.168.2.3	0xcece	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: svchost.exe PID: 5868 Parent PID: 568

General

Start time:	03:56:24
Start date:	12/08/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: KNEa2w7v3a.exe PID: 5700 Parent PID: 5596

General

Start time:	03:56:24
Start date:	12/08/2021
Path:	C:\Users\user\Desktop\KNEa2w7v3a.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\KNEa2w7v3a.exe'
Imagebase:	0x400000
File size:	479232 bytes
MD5 hash:	F8ADCF71A8C4E5C16D11308DFF998ECE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.206004453.0000000002641000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.205611516.0000000002294000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.205562844.0000000002230000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: svchost.exe PID: 5376 Parent PID: 568

General

Start time:	03:56:25
Start date:	12/08/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 1736 Parent PID: 568

General

Start time:	03:56:26
Start date:	12/08/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: wiaacmgr.exe PID: 6124 Parent PID: 5700

General

Start time:	03:56:26
Start date:	12/08/2021
Path:	C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe
Imagebase:	0x400000
File size:	479232 bytes
MD5 hash:	F8ADCF71A8C4E5C16D11308DFF998ECE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.210049440.0000000002181000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.209938070.0000000002124000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.209835926.00000000020C0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: Windows.Media.Playback.MediaPlayer.exe PID: 6052 Parent PID: 6124

General

Start time:	03:56:27
Start date:	12/08/2021
Path:	C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe
Imagebase:	0x400000
File size:	479232 bytes
MD5 hash:	F8ADCF71A8C4E5C16D11308DFF998ECE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.471191876.00000000020F0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.471538485.0000000002211000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.471462272.00000000021B4000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: svchost.exe PID: 4260 Parent PID: 568

General

Start time:	03:56:48
Start date:	12/08/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 5900 Parent PID: 568

General

Start time:	03:56:51
Start date:	12/08/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 2024 Parent PID: 568

General

Start time:	03:56:56
Start date:	12/08/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 4364 Parent PID: 568

General

Start time:	03:57:02
Start date:	12/08/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 6076 Parent PID: 568

General

Start time:	03:57:03
Start date:	12/08/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 4788 Parent PID: 568

General

Start time:	03:57:03
Start date:	12/08/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 5728 Parent PID: 568

General

Start time:	03:57:04
Start date:	12/08/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 496 Parent PID: 568

General

Start time:	03:57:04
Start date:	12/08/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: SgrmBroker.exe PID: 1180 Parent PID: 568

General

Start time:	03:57:05
Start date:	12/08/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff6665f0000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 4072 Parent PID: 568

General

Start time:	03:57:05
Start date:	12/08/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: MpCmdRun.exe PID: 720 Parent PID: 4072

General

Start time:	03:58:06
Start date:	12/08/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff6741d0000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 1396 Parent PID: 720

General

Start time:	03:58:07
Start date:	12/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report KNEa2w7v3a.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre