Windows Analysis Report
IEmxqChwE0.exe

Overview

General Information

Sample Name:	IEmxqChwE0.exe
Analysis ID:	679394
MD5:	0d32ff3680a716fd66cb9ab0e3ebc763
SHA1:	2aa356f14a156bf56efc66e39e0654bddb4fd95a
SHA256:	21719369d4b1474ad31c61c60ec7510ab511a21ba5659cca266f1e6a933cdc71
Tags:	DCRatexe
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Yara detected DCRat

Drops executable to a common third party application directory

Creates processes via WMI

Machine Learning detection for sample

Machine Learning detection for dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: IEmxqChwE0.exe	Virustotal: Detection: 59%	Perma Link
Source: IEmxqChwE0.exe	Metadefender: Detection: 42%	Perma Link
Source: IEmxqChwE0.exe	ReversingLabs: Detection: 84%

Antivirus / Scanner detection for submitted sample

Source: IEmxqChwE0.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\MSOCache\All Users\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330
Source: C:\Windows\WaaS\services\dllhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330
Source: C:\MSOCache\All Users\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330
Source: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\ZoFSCoTkutoORrrfFQrZkaw.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330
Source: C:\MSOCache\All Users\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330
Source: C:\Recovery\ShellExperienceHost.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330
Source: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\ZoFSCoTkutoORrrfFQrZkaw.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330
Source: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\ZoFSCoTkutoORrrfFQrZkaw.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330
Source: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\ZoFSCoTkutoORrrfFQrZkaw.exe	Avira: detection malicious, Label: HEUR/AGEN.1249330

Multi AV Scanner detection for dropped file

Source: C:\MSOCache\All Users\RuntimeBroker.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\MSOCache\All Users\RuntimeBroker.exe	ReversingLabs: Detection: 84%
Source: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\ZoFSCoTkutoORrrfFQrZkaw.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\ZoFSCoTkutoORrrfFQrZkaw.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files (x86)\WindowsPowerShell\ZoFSCoTkutoORrrfFQrZkaw.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Program Files (x86)\WindowsPowerShell\ZoFSCoTkutoORrrfFQrZkaw.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	ReversingLabs: Detection: 84%
Source: C:\Recovery\RuntimeBroker.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Recovery\RuntimeBroker.exe	ReversingLabs: Detection: 84%
Source: C:\Recovery\ShellExperienceHost.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Recovery\ShellExperienceHost.exe	ReversingLabs: Detection: 84%
Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe	ReversingLabs: Detection: 84%
Source: C:\Windows\Speech_OneCore\Engines\TTS\ZoFSCoTkutoORrrfFQrZkaw.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Windows\Speech_OneCore\Engines\TTS\ZoFSCoTkutoORrrfFQrZkaw.exe	ReversingLabs: Detection: 84%

Machine Learning detection for sample

Source: IEmxqChwE0.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\MSOCache\All Users\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Windows\WaaS\services\dllhost.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\ZoFSCoTkutoORrrfFQrZkaw.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Recovery\ShellExperienceHost.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\ZoFSCoTkutoORrrfFQrZkaw.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\ZoFSCoTkutoORrrfFQrZkaw.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\ZoFSCoTkutoORrrfFQrZkaw.exe	Joe Sandbox ML: detected

Source: 00000011.00000002.507606003.0000000003768000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"W\":\"-\",\"j\":\"%\",\"i\":\"`\",\"D\":\")\",\"v\":\"!\",\"V\":\"#\",\"N\":\" \",\"a\":\",\",\"M\":\"(\",\"6\":\"_\",\"I\":\"<\",\"p\":\"@\",\"0\":\"|\",\"H\":\"^\",\"1\":\">\",\"t\":\"*\",\"J\":\"$\",\"d\":\"&\",\"z\":\"~\",\"L\":\".\",\"O\":\";\"}", "PCRT": "{\"h\":\"(\",\"n\":\"@\",\"M\":\"|\",\"Y\":\"%\",\"Q\":\")\",\"l\":\"&\",\"F\":\"#\",\"O\":\"<\",\"U\":\"!\",\"W\":\"`\",\"c\":\">\",\"2\":\"^\",\"B\":\" \",\"a\":\",\",\"K\":\".\",\"Z\":\"_\",\"m\":\"-\",\"E\":\"~\",\"o\":\";\",\"x\":\"*\",\"p\":\"$\"}", "TAG": "", "MUTEX": "DCR_MUTEX-5BbmMLF7hMWVj4tneyWz", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": true, "ignorepartiallyemptydata": true, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}

Uses 32bit PE files

Source: IEmxqChwE0.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\IEmxqChwE0.exe	Directory created: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe			Jump to behavior
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	Directory created: C:\Program Files\Common Files\microsoft shared\vgx\9e8d7a4ca61bd9			Jump to behavior

Source: IEmxqChwE0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdbU.o. a._CorDllMainmscoree.dll source: IEmxqChwE0.exe, 00000000.00000002.363274417.0000000002810000.00000004.00000800.00020000.00000000.sdmp, IEmxqChwE0.exe, 00000000.00000002.470963918.000000001AFB0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdb source: IEmxqChwE0.exe, 00000000.00000002.363274417.0000000002810000.00000004.00000800.00020000.00000000.sdmp, IEmxqChwE0.exe, 00000000.00000002.470963918.000000001AFB0000.00000004.08000000.00040000.00000000.sdmp

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2850862 ETPRO TROJAN DCRat Initial Checkin Server Response M4 5.23.51.236:80 -> 192.168.2.4:49716

Source: RuntimeBroker.exe, 00000011.00000002.515301987.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: RuntimeBroker.exe, 00000011.00000002.515301987.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ;"https://www.facebook.com/chat/video/videocalldownload.php" equals www.facebook.com (Facebook)
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"DivX Web Player","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"Facebook Video","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"Chrome PDF Viewer","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"Chrome PDF Plugin","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"Google Earth","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"Google Talk","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"IBMJava*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {"group_name_matcher":"Facebook Video","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]} equals www.facebook.com (Facebook)

Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: RuntimeBroker.exe, 00000011.00000002.505413951.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cd44093.tmweb.ru
Source: RuntimeBroker.exe, 00000011.00000002.505413951.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cd44093.tmweb.ru/
Source: RuntimeBroker.exe, 00000011.00000002.505413951.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cd44093.tmweb.ru/_Defaultwindows.php?aRMYTVOUDKp5xKJ84fbVPR0rCj=25pNzWjTJ&EI841VYtPwU=tc1VJiJ
Source: RuntimeBroker.exe, 00000011.00000002.517984489.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.509547529.000000000380D000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.509718411.000000000382E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cd44093.tmweb.ru/_Defaultwindows.php?dKi2zUqI5X9HnmLXfJLuzzS=EvZPxw2pbp0wsTa&MzkLtwK6Jlzw4K2n
Source: RuntimeBroker.exe, 00000011.00000002.507606003.0000000003768000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.510002464.000000000384D000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.511767123.0000000003943000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.517984489.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.509547529.000000000380D000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.509718411.000000000382E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cd44093.tmweb.ru8
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: WmiPrvSE.exe, 00000025.00000002.445673226.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: IEmxqChwE0.exe, 00000000.00000002.369233850.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.505413951.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: RuntimeBroker.exe, 00000011.00000002.515301987.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RuntimeBroker.exe, 00000011.00000002.515301987.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RuntimeBroker.exe, 00000011.00000002.515301987.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RuntimeBroker.exe, 00000011.00000002.515301987.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RuntimeBroker.exe, 00000011.00000002.515301987.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RuntimeBroker.exe, 00000011.00000002.515301987.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.516172430.0000000003B5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: RuntimeBroker.exe, 00000011.00000002.515301987.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.516172430.0000000003B5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: RuntimeBroker.exe, 00000011.00000002.515301987.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.516172430.0000000003B5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

DNS traffic detected: queries for: cd44093.tmweb.ru

Uses 32bit PE files

Source: IEmxqChwE0.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.399908705.0000000012CA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: Process Memory Space: IEmxqChwE0.exe PID: 6036, type: MEMORYSTR	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889

Creates files inside the system directory

Source: C:\Users\user\Desktop\IEmxqChwE0.exe

File created: C:\Windows\Speech_OneCore\Engines\TTS\ZoFSCoTkutoORrrfFQrZkaw.exe

Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe	Code function: 5_2_00007FFF825A2C38	5_2_00007FFF825A2C38
Source: C:\Recovery\ShellExperienceHost.exe	Code function: 27_2_00007FFF825ABC50	27_2_00007FFF825ABC50
Source: C:\Recovery\ShellExperienceHost.exe	Code function: 27_2_00007FFF825AA835	27_2_00007FFF825AA835
Source: C:\Recovery\ShellExperienceHost.exe	Code function: 27_2_00007FFF825AAB2D	27_2_00007FFF825AAB2D

Source: IEmxqChwE0.exe, 00000000.00000002.363802658.0000000002857000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename( vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.351548575.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.470778268.000000001AF90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMiscInfoGrabber.dclib4 vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000003.339249075.000000001C372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000003.339249075.000000001C372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.362796533.00000000027DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename( vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.470601942.000000001AF50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.354305362.0000000000BC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.436065939.00000000136A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.354417401.0000000000BE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.363274417.0000000002810000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiscInfoGrabber.dclib4 vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.363274417.0000000002810000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename( vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.363274417.0000000002810000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDCLIB.dll, vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.363274417.0000000002810000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUSBSpread.dll4 vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.363274417.0000000002810000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUserPingCounter.dclib4 vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.361156403.000000000275D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename( vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.361156403.000000000275D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDisableUAC.dclib4 vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000000.230255770.000000000039A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.469637960.000000001AEF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDisableUAC.dclib4 vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.470860467.000000001AFA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.477485478.000000001C380000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.477485478.000000001C380000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe, 00000000.00000002.470963918.000000001AFB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDCLIB.dll, vs IEmxqChwE0.exe
Source: IEmxqChwE0.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs IEmxqChwE0.exe

Source: unknown	Process created: C:\Users\user\Desktop\IEmxqChwE0.exe "C:\Users\user\Desktop\IEmxqChwE0.exe"
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ZoFSCoTkutoORrrfFQrZkawZ" /sc MINUTE /mo 5 /tr "'C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe'" /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ZoFSCoTkutoORrrfFQrZkaw" /sc ONLOGON /tr "'C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ZoFSCoTkutoORrrfFQrZkawZ" /sc MINUTE /mo 14 /tr "'C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe'" /f
Source: unknown	Process created: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ZoFSCoTkutoORrrfFQrZkawZ" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\ZoFSCoTkutoORrrfFQrZkaw.exe'" /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ZoFSCoTkutoORrrfFQrZkaw" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\ZoFSCoTkutoORrrfFQrZkaw.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ZoFSCoTkutoORrrfFQrZkawZ" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\ZoFSCoTkutoORrrfFQrZkaw.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\ShellExperienceHost.exe'" /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\ShellExperienceHost.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\ShellExperienceHost.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ZoFSCoTkutoORrrfFQrZkawZ" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\ZoFSCoTkutoORrrfFQrZkaw.exe'" /f
Source: unknown	Process created: C:\Recovery\ShellExperienceHost.exe C:\Recovery\ShellExperienceHost.exe
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ZoFSCoTkutoORrrfFQrZkaw" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\ZoFSCoTkutoORrrfFQrZkaw.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\ShellExperienceHost.exe C:\Recovery\ShellExperienceHost.exe
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ZoFSCoTkutoORrrfFQrZkawZ" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\ZoFSCoTkutoORrrfFQrZkaw.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\mozilla firefox\plugins\WmiPrvSE.exe'" /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\mozilla firefox\plugins\WmiPrvSE.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe C:\Program Files (x86)\mozilla firefox\plugins\WmiPrvSE.exe
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\mozilla firefox\plugins\WmiPrvSE.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\RuntimeBroker.exe'" /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe C:\Program Files (x86)\mozilla firefox\plugins\WmiPrvSE.exe
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\RuntimeBroker.exe'" /f
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\MSOCache\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: IEmxqChwE0.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Recovery\ShellExperienceHost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Recovery\ShellExperienceHost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Users\user\Desktop\IEmxqChwE0.exe	Code function: 0_2_00007FFF825C59C2 push es; iretd	0_2_00007FFF825C59C4
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	Code function: 0_2_00007FFF825C59D9 push es; iretd	0_2_00007FFF825C59DB
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	Code function: 17_2_00007FFF825D59C2 push es; iretd	17_2_00007FFF825D59C4
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	Code function: 17_2_00007FFF825D59D9 push es; iretd	17_2_00007FFF825D59DB
Source: C:\Recovery\ShellExperienceHost.exe	Code function: 27_2_00007FFF825B59C2 push es; iretd	27_2_00007FFF825B59C4
Source: C:\Recovery\ShellExperienceHost.exe	Code function: 27_2_00007FFF825B59D9 push es; iretd	27_2_00007FFF825B59DB
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Code function: 31_2_00007FFF825E59C2 push es; iretd	31_2_00007FFF825E59C4
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Code function: 31_2_00007FFF825E59D9 push es; iretd	31_2_00007FFF825E59DB
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Code function: 37_2_00007FFF825E59C2 push es; iretd	37_2_00007FFF825E59C4
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Code function: 37_2_00007FFF825E59D9 push es; iretd	37_2_00007FFF825E59DB

Source: C:\Users\user\Desktop\IEmxqChwE0.exe	File created: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	File created: C:\MSOCache\All Users\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	File created: C:\Windows\WaaS\services\dllhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	File created: C:\Recovery\ShellExperienceHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	File created: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	File created: C:\Program Files (x86)\WindowsPowerShell\ZoFSCoTkutoORrrfFQrZkaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	File created: C:\Recovery\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	File created: C:\Windows\Speech_OneCore\Engines\TTS\ZoFSCoTkutoORrrfFQrZkaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	File created: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	File created: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\ZoFSCoTkutoORrrfFQrZkaw.exe	Jump to dropped file

Source: C:\Users\user\Desktop\IEmxqChwE0.exe TID: 5196	Thread sleep count: 2459 > 30	Jump to behavior
Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe TID: 5276	Thread sleep count: 1352 > 30	Jump to behavior
Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe TID: 5520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe TID: 1384	Thread sleep count: 1123 > 30	Jump to behavior
Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe TID: 2100	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe TID: 5732	Thread sleep count: 1126 > 30	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe TID: 5552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\ShellExperienceHost.exe TID: 5124	Thread sleep count: 1325 > 30	Jump to behavior
Source: C:\Recovery\ShellExperienceHost.exe TID: 6088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\ShellExperienceHost.exe TID: 3572	Thread sleep count: 1244 > 30
Source: C:\Recovery\ShellExperienceHost.exe TID: 5764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe TID: 3180	Thread sleep count: 1070 > 30
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe TID: 3720	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe TID: 256	Thread sleep count: 1060 > 30
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe TID: 5964	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\ShellExperienceHost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\ShellExperienceHost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\IEmxqChwE0.exe	Window / User API: threadDelayed 2459	Jump to behavior
Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe	Window / User API: threadDelayed 1352	Jump to behavior
Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe	Window / User API: threadDelayed 1123	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	Window / User API: threadDelayed 1252	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	Window / User API: threadDelayed 1126	Jump to behavior
Source: C:\Recovery\ShellExperienceHost.exe	Window / User API: threadDelayed 1325	Jump to behavior
Source: C:\Recovery\ShellExperienceHost.exe	Window / User API: threadDelayed 1244
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Window / User API: threadDelayed 1070
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Window / User API: threadDelayed 1060

Source: C:\Users\user\Desktop\IEmxqChwE0.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\ShellExperienceHost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\ShellExperienceHost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation

Source: RuntimeBroker.exe, 00000011.00000002.503800206.00000000016DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RuntimeBroker.exe, 00000011.00000002.509718411.000000000382E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eyJGcmFtZXdvcmtWZXJzaW9uIjoiNC43LjIiLCJDUFVOYW1lIjoiSW50ZWwoUikgQ29yZShUTSkyIENQVSA2NjAwIEAgMi40MCBHSHoiLCJDUFVEZXNjcmlwdGlvbiI6IkludGVsNjQgRmFtaWx5IDYgTW9kZWwgODUgU3RlcHBpbmcgNyIsIkNQVUNvcmVzIjo0LCJDUFVMb2dpY2FsUHJvY2Vzc29ycyI6MiwiQ1BVQXJjaGl0ZWN0dXJlIjoiOSIsIkNQVUwyQ2FjaGVTaXplIjoiTi9BIiwiQ1BVTDNDYWNoZVNpemUiOiIwIEtpQiIsIkNQVUV4dGVybmFsQ2xvY2tTcGVlZCI6Ik4vQSIsIkNQVUN1cnJlbnRDbG9ja1NwZWVkIjoiMjE5NSBNSHoiLCJDUFVSZXZpc2lvbiI6MjE3NjcsIkNQVURldmljZUlkIjoiQ1BVMCIsIkNQVVByb2Nlc3NvcklkIjoiRTU5MkU4RUE0MCIsIkdQVU5hbWUiOiJNRkwzUk5WRiIsIkdQVVZpZGVvQXJjaGl0ZWN0dXJlIjoiNSIsIkdQVVZpZGVvUHJvY2Vzc29yIjoiX1o5Nzk0VjEiLCJHUFVWaWRlb01lbW9yeSI6IjEgR0IiLCJHUFVWaWRlb01vZGVEZXNjcmlwdGlvbiI6IjEyODAgeCAxMDI0IHggNDI5NDk2NzI5NiBjb2xvcnMiLCJHUFVNYXhSZWZyZXNoUmF0ZSI6IjY0IEh6IiwiR1BVRGV2aWNlSWQiOiJWaWRlb0NvbnRyb2xsZXIxIiwiTW90aGVyYm9hcmROYW1lIjoiWEszNllNTkFVMiIsIk1vdGhlcmJvYXJkTWFudWZhY3R1cmVyIjoiTFkzQTE5RUJSNiIsIk1vdGhlcmJvYXJkSUQiOiIwNTg2MjU5OTc5MjMwODIxIiwiQklPU05hbWUiOiJWTVc3MS4wMFYuMTgyMjcyMTQuQjY0LjIxMDYyNTIyMjAiLCJCSU9TVmVyc2lvbiI6IkxXTDZVIiwiQW50aXZpcnVzIjoiV2luZG93cyBEZWZlbmRlciIsIkZpcmV3YWxsIjoiVW5rbm93biIsIlJBTSI6IjQgR0IiLCJMQU5JUCI6IlVua25vd24iLCJTY3JlZW5zIjoiXFxcXC5cXERJU1BMQVkxXHJcbiIsIldlYmNhbXMiOiIiLCJNaWNyb3Bob25lcyI6Ik1pY3JvcGhvbmUgKEhpZ2ggRGVmaW5pdGlvbiBBdWQiLCJTdGVhbVBhdGgiOiJVbmtub3duIiwiU3RlYW1MYW5nIjoiVW5rbm93biIsIlN0ZWFtVXNlciI6IlVua25vd24iLCJTdGVhbVVzZXJJRCI6IlVua25vd24iLCJTdGVhbUFwcHMiOiIiLCJUZWxlZ3JhbVBhdGgiOiIiLCJEaXNjb3JkUGF0aCI6IlVua25vd24iLCJQYXRoIjoiQzpcXFByb2dyYW0gRmlsZXNcXENvbW1vbiBGaWxlc1xcbWljcm9zb2Z0IHNoYXJlZFxcdmd4In0=
Source: IEmxqChwE0.exe, 00000000.00000003.337393677.000000001C2B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: IEmxqChwE0.exe, 00000000.00000003.337393677.000000001C2B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: RuntimeBroker.exe, 00000011.00000002.509718411.000000000382E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"fbef89ea2b52f3dd6c088700e96f3ac3":"2bf89817a25f1a8096b0c3f5384c92334dfdd6ba","abe6b2a9a22d7f8186e801e208544f29":"d31ad541954c1f121e046f011376437bb34aa869","5337af02ebd793daa0a99f911d6dfe1d":"eyJGcmFtZXdvcmtWZXJzaW9uIjoiNC43LjIiLCJDUFVOYW1lIjoiSW50ZWwoUikgQ29yZShUTSkyIENQVSA2NjAwIEAgMi40MCBHSHoiLCJDUFVEZXNjcmlwdGlvbiI6IkludGVsNjQgRmFtaWx5IDYgTW9kZWwgODUgU3RlcHBpbmcgNyIsIkNQVUNvcmVzIjo0LCJDUFVMb2dpY2FsUHJvY2Vzc29ycyI6MiwiQ1BVQXJjaGl0ZWN0dXJlIjoiOSIsIkNQVUwyQ2FjaGVTaXplIjoiTi9BIiwiQ1BVTDNDYWNoZVNpemUiOiIwIEtpQiIsIkNQVUV4dGVybmFsQ2xvY2tTcGVlZCI6Ik4vQSIsIkNQVUN1cnJlbnRDbG9ja1NwZWVkIjoiMjE5NSBNSHoiLCJDUFVSZXZpc2lvbiI6MjE3NjcsIkNQVURldmljZUlkIjoiQ1BVMCIsIkNQVVByb2Nlc3NvcklkIjoiRTU5MkU4RUE0MCIsIkdQVU5hbWUiOiJNRkwzUk5WRiIsIkdQVVZpZGVvQXJjaGl0ZWN0dXJlIjoiNSIsIkdQVVZpZGVvUHJvY2Vzc29yIjoiX1o5Nzk0VjEiLCJHUFVWaWRlb01lbW9yeSI6IjEgR0IiLCJHUFVWaWRlb01vZGVEZXNjcmlwdGlvbiI6IjEyODAgeCAxMDI0IHggNDI5NDk2NzI5NiBjb2xvcnMiLCJHUFVNYXhSZWZyZXNoUmF0ZSI6IjY0IEh6IiwiR1BVRGV2aWNlSWQiOiJWaWRlb0NvbnRyb2xsZXIxIiwiTW90aGVyYm9hcmROYW1lIjoiWEszNllNTkFVMiIsIk1vdGhlcmJvYXJkTWFudWZhY3R1cmVyIjoiTFkzQTE5RUJSNiIsIk1vdGhlcmJvYXJkSUQiOiIwNTg2MjU5OTc5MjMwODIxIiwiQklPU05hbWUiOiJWTVc3MS4wMFYuMTgyMjcyMTQuQjY0LjIxMDYyNTIyMjAiLCJCSU9TVmVyc2lvbiI6IkxXTDZVIiwiQW50aXZpcnVzIjoiV2luZG93cyBEZWZlbmRlciIsIkZpcmV3YWxsIjoiVW5rbm93biIsIlJBTSI6IjQgR0IiLCJMQU5JUCI6IlVua25vd24iLCJTY3JlZW5zIjoiXFxcXC5cXERJU1BMQVkxXHJcbiIsIldlYmNhbXMiOiIiLCJNaWNyb3Bob25lcyI6Ik1pY3JvcGhvbmUgKEhpZ2ggRGVmaW5pdGlvbiBBdWQiLCJTdGVhbVBhdGgiOiJVbmtub3duIiwiU3RlYW1MYW5nIjoiVW5rbm93biIsIlN0ZWFtVXNlciI6IlVua25vd24iLCJTdGVhbVVzZXJJRCI6IlVua25vd24iLCJTdGVhbUFwcHMiOiIiLCJUZWxlZ3JhbVBhdGgiOiIiLCJEaXNjb3JkUGF0aCI6IlVua25vd24iLCJQYXRoIjoiQzpcXFByb2dyYW0gRmlsZXNcXENvbW1vbiBGaWxlc1xcbWljcm9zb2Z0IHNoYXJlZFxcdmd4In0"}]
Source: RuntimeBroker.exe, 00000011.00000002.509718411.000000000382E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NQVUN1cnJlbnRDbG9ja1NwZWVkIjoiMjE5NSBNSHoiLCJDUFVSZXZpc2lvbiI6MjE3NjcsIkNQVURldmljZUlkIjoiQ1BVMCIsIkNQVVByb2Nlc3NvcklkIjoiRTU5MkU4RUE0MCIsIkdQVU5hbWUiOiJNRkwzUk5WRiIsIkdQVVZpZGVvQXJjaGl0ZWN0dXJlIjoiNSIsIkdQVVZpZGVvUHJvY2Vzc29yIjoiX1o5Nzk0VjEiLCJHUFVWaWRlb01lbW9yeSI6IjEgR0IiLCJHUFVWaWRlb01vZGVEZXNjcmlwdGlvbiI6IjEyODAgeCAxMDI0IHggNDI5NDk2NzI5NiBjb2xvcnMiLCJHUFVNYXhSZWZyZXNoUmF0ZSI6IjY0IEh6IiwiR1BVRGV2aWNlSWQiOiJWaWRlb0NvbnRyb2xsZXIxIiwiTW90aGVyYm9hcmROYW1lIjoiWEszNllNTkFVMiIsIk1vdGhlcmJvYXJkTWFudWZhY3R1cmVyIjoiTFkzQTE5RUJSNiIsIk1vdGhlcmJvYXJkSUQiOiIwNTg2Mj
Source: RuntimeBroker.exe, 00000011.00000002.503800206.00000000016DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareYTYZN7OHWin32_VideoControllerEKS7LVLEVideoController120060621000000.000000-00033845.13display.infMSBDAMFL3RNVFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors_Z9794V1
Source: IEmxqChwE0.exe, RuntimeBroker.exe0.0.dr, dllhost.exe.0.dr, RuntimeBroker.exe1.0.dr, WmiPrvSE.exe.0.dr, ZoFSCoTkutoORrrfFQrZkaw.exe0.0.dr, RuntimeBroker.exe.0.dr	Binary or memory string: QpHGFSa8Kx1NLJf20O6
Source: RuntimeBroker.exe, 00000011.00000002.509718411.000000000382E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eyJGcmFtZXdvcmtWZXJzaW9uIjoiNC43LjIiLCJDUFVOYW1lIjoiSW50ZWwoUikgQ29yZShUTSkyIENQVSA2NjAwIEAgMi40MCBHSHoiLCJDUFVEZXNjcmlwdGlvbiI6IkludGVsNjQgRmFtaWx5IDYgTW9kZWwgODUgU3RlcHBpbmcgNyIsIkNQVUNvcmVzIjo0LCJDUFVMb2dpY2FsUHJvY2Vzc29ycyI6MiwiQ1BVQXJjaGl0ZWN0dXJlIjoiOSIsIkNQVUwyQ2FjaGVTaXplIjoiTi9BIiwiQ1BVTDNDYWNoZVNpemUiOiIwIEtpQiIsIkNQVUV4dGVybmFsQ2xvY2tTcGVlZCI6Ik4vQSIsIkNQVUN1cnJlbnRDbG9ja1NwZWVkIjoiMjE5NSBNSHoiLCJDUFVSZXZpc2lvbiI6MjE3NjcsIkNQVURldmljZUlkIjoiQ1BVMCIsIkNQVVByb2Nlc3NvcklkIjoiRTU5MkU4RUE0MCIsIkdQVU5hbWUiOiJNRkwzUk5WRiIsIkdQVVZpZGVvQXJjaGl0ZWN0dXJlIjoiNSIsIkdQVVZpZGVvUHJvY2Vzc29yIjoiX1o5Nzk0VjEiLCJHUFVWaWRlb01lbW9yeSI6IjEgR0IiLCJHUFVWaWRlb01vZGVEZXNjcmlwdGlvbiI6IjEyODAgeCAxMDI0IHggNDI5NDk2NzI5NiBjb2xvcnMiLCJHUFVNYXhSZWZyZXNoUmF0ZSI6IjY0IEh6IiwiR1BVRGV2aWNlSWQiOiJWaWRlb0NvbnRyb2xsZXIxIiwiTW90aGVyYm9hcmROYW1lIjoiWEszNllNTkFVMiIsIk1vdGhlcmJvYXJkTWFudWZhY3R1cmVyIjoiTFkzQTE5RUJSNiIsIk1vdGhlcmJvYXJkSUQiOiIwNTg2MjU5OTc5MjMwODIxIiwiQklPU05hbWUiOiJWTVc3MS4wMFYuMTgyMjcyMTQuQjY0LjIxMDYyNTIyMjAiLCJCSU9TVmVyc2lvbiI6IkxXTDZVIiwiQW50aXZpcnVzIjoiV2luZG93cyBEZWZlbmRlciIsIkZpcmV3YWxsIjoiVW5rbm93biIsIlJBTSI6IjQgR0IiLCJMQU5JUCI6IlVua25vd24iLCJTY3JlZW5zIjoiXFxcXC5cXERJU1BMQVkxXHJcbiIsIldlYmNhbXMiOiIiLCJNaWNyb3Bob25lcyI6Ik1pY3JvcGhvbmUgKEhpZ2ggRGVmaW5pdGlvbiBBdWQiLCJTdGVhbVBhdGgiOiJVbmtub3duIiwiU3RlYW1MYW5nIjoiVW5rbm93biIsIlN0ZWFtVXNlciI6IlVua25vd24iLCJTdGVhbVVzZXJJRCI6IlVua25vd24iLCJTdGVhbUFwcHMiOiIiLCJUZWxlZ3JhbVBhdGgiOiIiLCJEaXNjb3JkUGF0aCI6IlVua25vd24iLCJQYXRoIjoiQzpcXFByb2dyYW0gRmlsZXNcXENvbW1vbiBGaWxlc1xcbWljcm9zb2Z0IHNoYXJlZFxcdmd4In0
Source: RuntimeBroker.exe, 00000011.00000002.543618289.000000001D456000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\IEmxqChwE0.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\ShellExperienceHost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\ShellExperienceHost.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Process token adjusted: Debug

Source: RuntimeBroker.exe, 00000011.00000002.511767123.0000000003943000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.509547529.000000000380D000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.509718411.000000000382E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager "
Source: RuntimeBroker.exe, 00000011.00000002.509547529.000000000380D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"138727","UserName":"user","IpInfo":{"ip":"102.129.143.3","city":"Reston","region":"Virginia","country":"US","loc":"38.9609,-77.3429","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"MFL3RNVF (1 GB)","CPUName":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 85 Stepping 7)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Active","SleepTimeout":5}
Source: RuntimeBroker.exe, 00000011.00000002.510002464.000000000384D000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.511767123.0000000003943000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"138727","UserName":"user","IpInfo":{"ip":"102.129.143.3","city":"Reston","region":"Virginia","country":"US","loc":"38.9609,-77.3429","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"MFL3RNVF (1 GB)","CPUName":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 85 Stepping 7)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Active","SleepTimeout":5,"extData":{"db4f70e6cbfde7de61dca6dd23b71ecb342fb588":"63 ms"}}
Source: RuntimeBroker.exe, 00000011.00000002.518124161.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`

Source: C:\Users\user\Desktop\IEmxqChwE0.exe	Queries volume information: C:\Users\user\Desktop\IEmxqChwE0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IEmxqChwE0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe	Queries volume information: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe	Queries volume information: C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	Queries volume information: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	Queries volume information: C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\ShellExperienceHost.exe	Queries volume information: C:\Recovery\ShellExperienceHost.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\ShellExperienceHost.exe	Queries volume information: C:\Recovery\ShellExperienceHost.exe VolumeInformation
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Queries volume information: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe VolumeInformation
Source: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	Queries volume information: C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe VolumeInformation

Source: Yara match	File source: 00000011.00000002.507606003.0000000003768000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.392526659.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.437075791.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.369748569.000000001252F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IEmxqChwE0.exe PID: 6036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZoFSCoTkutoORrrfFQrZkaw.exe PID: 2988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZoFSCoTkutoORrrfFQrZkaw.exe PID: 5548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 1048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ShellExperienceHost.exe PID: 3764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ShellExperienceHost.exe PID: 336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 1448, type: MEMORYSTR

ID:	679394
Product:	CloudBasic
Start time:	17:41:11
Start date:	05.08.2022
Sample:	IEmxqChwE0.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	0d32ff3680a716fd66cb9ab0e3ebc763
SHA1:	2aa356f14a156bf56efc66e39e0654bddb4fd95a
SHA256:	21719369d4b1474ad31c61c60ec7510ab511a21ba5659cca266f1e6a933cdc71
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Name	Type	MD5	SHA1	SHA256
C:\MSOCache\All Users\9e8d7a4ca61bd9	ASCII text, with no line terminators	517EB151228FB049E52A9BE4BA8926A7	50A0B9B6920C1D94539B01331941848FCE7894FE	7716A3F86F65EECF7822FAF25C1E2201BFD70828FF87DBA01C40FF5AF6377068
C:\MSOCache\All Users\RuntimeBroker.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0D32FF3680A716FD66CB9AB0E3EBC763	2AA356F14A156BF56EFC66E39E0654BDDB4FD95A	21719369D4B1474AD31C61C60EC7510AB511A21BA5659CCA266F1E6A933CDC71
C:\MSOCache\All Users\RuntimeBroker.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\2cdddf0d5a7032	ASCII text, with no line terminators	EE16613A20135F1728FD1434AF8CD177	ED7C14A906C9FC50B1D67E79B30DD09C82CDEEBC	8962976E057BC55B348F135C131F90D91FDDBC4DE71BB2A7B57B2D000EC5E7DB
C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\ZoFSCoTkutoORrrfFQrZkaw.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0D32FF3680A716FD66CB9AB0E3EBC763	2AA356F14A156BF56EFC66E39E0654BDDB4FD95A	21719369D4B1474AD31C61C60EC7510AB511A21BA5659CCA266F1E6A933CDC71
C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\ZoFSCoTkutoORrrfFQrZkaw.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Program Files (x86)\Mozilla Firefox\plugins\24dbde2999530e	ASCII text, with very long lines, with no line terminators	6C1B0AD1F77643EBE280DD0B5E57A661	3E3E9275E41F4E7A4BE7211FAB8B68220F4BD6A2	0111DEC5CA74B80616CB05D713183244FFBB42D5F82DD947C870F3967E011BBA
C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0D32FF3680A716FD66CB9AB0E3EBC763	2AA356F14A156BF56EFC66E39E0654BDDB4FD95A	21719369D4B1474AD31C61C60EC7510AB511A21BA5659CCA266F1E6A933CDC71
C:\Program Files (x86)\Mozilla Firefox\plugins\WmiPrvSE.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Program Files (x86)\WindowsPowerShell\2cdddf0d5a7032	ASCII text, with very long lines, with no line terminators	DBA96A5587BE1A22B7C7D59B1E57613F	A347701B5FD8E3B2B9BA1FFABFC47122F609E7DF	57D02EE59FA0B93B6616316F3702901CC57AE809F7509E119B810AF79119CD9B
C:\Program Files (x86)\WindowsPowerShell\ZoFSCoTkutoORrrfFQrZkaw.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0D32FF3680A716FD66CB9AB0E3EBC763	2AA356F14A156BF56EFC66E39E0654BDDB4FD95A	21719369D4B1474AD31C61C60EC7510AB511A21BA5659CCA266F1E6A933CDC71
C:\Program Files (x86)\WindowsPowerShell\ZoFSCoTkutoORrrfFQrZkaw.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Program Files\Common Files\microsoft shared\vgx\9e8d7a4ca61bd9	ASCII text, with very long lines, with no line terminators	90DFB91DEF995ACDEA99CB4FF87F5E1B	546487FF8401281FC34FA6BC922B44FDA955094B	EB548F74019DA516DC31E4EE768C4C5C4EE35DEAE918DDEAB528C07512DAEE59
C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0D32FF3680A716FD66CB9AB0E3EBC763	2AA356F14A156BF56EFC66E39E0654BDDB4FD95A	21719369D4B1474AD31C61C60EC7510AB511A21BA5659CCA266F1E6A933CDC71
C:\Program Files\Common Files\microsoft shared\vgx\RuntimeBroker.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Recovery\2cdddf0d5a7032	ASCII text, with no line terminators	D68A6FD1F81653C134C4E114E10230FB	52F115CC8C14C745A47BC8B9D2C7C46B0A0176B3	9300C62C1051BB081293CAC523CAF62F535BE4D607AA070CF7A2DA4877B06A8A
C:\Recovery\9e8d7a4ca61bd9	ASCII text, with very long lines, with no line terminators	6C01AC5B1FA633E96C29E06F1A233E78	ED6E6C76DEDC38A1E7D8B1B23933922333C33449	0A6EAED3E68F7E2EE1F6BFC480E11E89B934CB784B1AFBBF9BD24E20020027FC
C:\Recovery\RuntimeBroker.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0D32FF3680A716FD66CB9AB0E3EBC763	2AA356F14A156BF56EFC66E39E0654BDDB4FD95A	21719369D4B1474AD31C61C60EC7510AB511A21BA5659CCA266F1E6A933CDC71
C:\Recovery\RuntimeBroker.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Recovery\ShellExperienceHost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0D32FF3680A716FD66CB9AB0E3EBC763	2AA356F14A156BF56EFC66E39E0654BDDB4FD95A	21719369D4B1474AD31C61C60EC7510AB511A21BA5659CCA266F1E6A933CDC71
C:\Recovery\ShellExperienceHost.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0D32FF3680A716FD66CB9AB0E3EBC763	2AA356F14A156BF56EFC66E39E0654BDDB4FD95A	21719369D4B1474AD31C61C60EC7510AB511A21BA5659CCA266F1E6A933CDC71
C:\Recovery\ZoFSCoTkutoORrrfFQrZkaw.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Recovery\f8c8f1285d826b	ASCII text, with no line terminators	3446F1ADC6A84482B968A6E5DB94BD1E	339127E3CB3CFDA396716A276FC3EC07D3D22E4D	98D5805887A8846F8D50D5FD58AB48CECB61BDEFBD1BCD6398F080C41CBAAEC4
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\IEmxqChwE0.exe.log	ASCII text, with CRLF line terminators	D51ACEABB86EE1011F30283D80CCC5CB	3AC7C663B0BBDD03E8902007AA3339AB15799AD4	BD8B47AC2ABAF695C87F5C2B1DEF43D95416A0BEF5FE6BF0E7E713E662942024
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ShellExperienceHost.exe.log	ASCII text, with CRLF line terminators	7115A3215A4C22EF20AB9AF4160EE8F5	A4CAB34355971C1FBAABECEFA91458C4936F2C24	A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log	ASCII text, with CRLF line terminators	7115A3215A4C22EF20AB9AF4160EE8F5	A4CAB34355971C1FBAABECEFA91458C4936F2C24	A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ZoFSCoTkutoORrrfFQrZkaw.exe.log	ASCII text, with CRLF line terminators	7115A3215A4C22EF20AB9AF4160EE8F5	A4CAB34355971C1FBAABECEFA91458C4936F2C24	A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2
C:\Users\user\AppData\Local\Temp\n1eJyN2FEu	ASCII text, with no line terminators	499499A2CB4BF12AA06138B1232C9337	CA7C9EE80B67C84A327FC047EF59BB7102D53063	A45B1E1B38A5D964C1DE9ED0AA53E88C25D29CDD38835696DB439D3A09CEF02D
C:\Users\user\AppData\Local\Temp\vHbeHiYPsn.bat	DOS batch file, ASCII text, with CRLF line terminators	B4AF0F85058566A42EB036CE38F7762B	E8C6E1E310D7F924EEECE7FCBC611A7E431A855E	25A19F866E685FD3E507BC995D38946DEE54EA123FF668E3A1B944C4FFF26998
C:\Windows\Speech_OneCore\Engines\TTS\2cdddf0d5a7032	ASCII text, with very long lines, with no line terminators	E7A1192471D8C47373C72AA7D919F6F5	7091E3A7FED5ECFA25D08CB299A47869F7BA3D8D	F4DB2B7D322311608E540D8367FFA0F59D2E3515477ED8F029552A01D9282CE0
C:\Windows\Speech_OneCore\Engines\TTS\ZoFSCoTkutoORrrfFQrZkaw.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0D32FF3680A716FD66CB9AB0E3EBC763	2AA356F14A156BF56EFC66E39E0654BDDB4FD95A	21719369D4B1474AD31C61C60EC7510AB511A21BA5659CCA266F1E6A933CDC71
C:\Windows\Speech_OneCore\Engines\TTS\ZoFSCoTkutoORrrfFQrZkaw.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\WaaS\services\5940a34987c991	ASCII text, with no line terminators	B95568F4AF0FE053C93D13045CBE0F67	5DD1D2B20E3F181C1889594399319D1530F734B9	A621F6B2692F8DBCD788F6CCD4613132258EE64A83AD86D73FD7F41E6DFAADAC
C:\Windows\WaaS\services\dllhost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0D32FF3680A716FD66CB9AB0E3EBC763	2AA356F14A156BF56EFC66E39E0654BDDB4FD95A	21719369D4B1474AD31C61C60EC7510AB511A21BA5659CCA266F1E6A933CDC71
C:\Windows\WaaS\services\dllhost.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report IEmxqChwE0.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
IEmxqChwE0.exe