Edit tour

Windows Analysis Report
task1.exe

Overview

General Information

Sample name:	task1.exe
Analysis ID:	1645426
MD5:	2ba73d2d47cf2d388446b781613b7eff
SHA1:	c75c7eb4814835388881d1b4c2db67e64a023e1e
SHA256:	06c6442d5bb110140ac1cdbcf1be52388441b9a0750d59b743acc6b52d19582b
Infos:

Detection

Emotet

Score:	96
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Emotet

Changes security center settings (notifications, updates, antivirus, firewall)

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Joe Sandbox ML detected suspicious sample

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Drops PE files to the windows directory (C:\Windows)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Destination Ports

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Process Tree

System is w10x64

task1.exe (PID: 7604 cmdline: "C:\Users\user\Desktop\task1.exe" MD5: 2BA73D2D47CF2D388446B781613B7EFF)

Phoneutil.exe (PID: 7648 cmdline: "C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe" MD5: 2BA73D2D47CF2D388446B781613B7EFF)

svchost.exe (PID: 7744 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7932 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 7968 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 8008 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 8044 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 8080 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 5324 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Emotet	While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.	GOLD CABIN MUMMY SPIDER Mealybug	http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1 http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/ http://ropgadget.com/posts/defensive_pcres.html https://adalogics.com/blog/the-state-of-advanced-code-injections https://asec.ahnlab.com/en/33600/	https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1169317226.0000000002291000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x2d6c:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
00000000.00000002.1169283675.0000000002274000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.1169283675.0000000002274000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x31dc:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
00000000.00000002.1169237913.0000000002260000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.1169237913.0000000002260000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x590a:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
00000001.00000002.3037538833.0000000000520000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.3037538833.0000000000520000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x590a:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
00000001.00000002.3037797456.0000000000561000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.3037797456.0000000000561000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x2d6c:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
00000001.00000002.3037700653.0000000000544000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.3037700653.0000000000544000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x31dc:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 134.209.36.254, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe, Initiated: true, ProcessId: 7648, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49729

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7744, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Win32/Emotet CnC Activity (POST) M10

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-21T18:38:20.277675+0100	2030868	1	A Network Trojan was detected	192.168.2.4	49735	194.187.133.160	443	TCP

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• E-Banking Fraud
• System Summary
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: task1.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: task1.exe	Virustotal: Detection: 93%			Perma Link
Source: task1.exe	ReversingLabs: Detection: 86%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 91.3% probability

Source: task1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.4:49735 -> 194.187.133.160:443

Source: global traffic	TCP traffic: 192.168.2.4:49729 -> 134.209.36.254:8080
Source: global traffic	TCP traffic: 192.168.2.4:49732 -> 104.156.59.7:8080
Source: global traffic	TCP traffic: 192.168.2.4:49734 -> 120.138.30.150:8080
Source: global traffic	TCP traffic: 192.168.2.4:49736 -> 104.236.246.93:8080
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 74.208.45.104:8080

Source: Joe Sandbox View	IP Address: 74.208.45.104 74.208.45.104
Source: Joe Sandbox View	IP Address: 104.236.246.93 104.236.246.93

Source: global traffic

HTTP traffic detected: POST /Y1pc/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 194.187.133.160/Y1pc/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------oVoFEuGEHost: 194.187.133.160:443Content-Length: 5988Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 74.219.172.26
Source: unknown	TCP traffic detected without corresponding DNS query: 74.219.172.26
Source: unknown	TCP traffic detected without corresponding DNS query: 74.219.172.26
Source: unknown	TCP traffic detected without corresponding DNS query: 74.219.172.26
Source: unknown	TCP traffic detected without corresponding DNS query: 74.219.172.26
Source: unknown	TCP traffic detected without corresponding DNS query: 134.209.36.254
Source: unknown	TCP traffic detected without corresponding DNS query: 134.209.36.254
Source: unknown	TCP traffic detected without corresponding DNS query: 134.209.36.254
Source: unknown	TCP traffic detected without corresponding DNS query: 134.209.36.254
Source: unknown	TCP traffic detected without corresponding DNS query: 134.209.36.254
Source: unknown	TCP traffic detected without corresponding DNS query: 104.156.59.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.156.59.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.156.59.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.156.59.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.156.59.7
Source: unknown	TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown	TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown	TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown	TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown	TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown	TCP traffic detected without corresponding DNS query: 194.187.133.160
Source: unknown	TCP traffic detected without corresponding DNS query: 194.187.133.160
Source: unknown	TCP traffic detected without corresponding DNS query: 194.187.133.160
Source: unknown	TCP traffic detected without corresponding DNS query: 194.187.133.160
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 74.208.45.104
Source: unknown	TCP traffic detected without corresponding DNS query: 74.208.45.104
Source: unknown	TCP traffic detected without corresponding DNS query: 74.208.45.104
Source: unknown	TCP traffic detected without corresponding DNS query: 74.208.45.104
Source: unknown	TCP traffic detected without corresponding DNS query: 74.208.45.104
Source: unknown	TCP traffic detected without corresponding DNS query: 78.187.156.31
Source: unknown	TCP traffic detected without corresponding DNS query: 78.187.156.31
Source: unknown	TCP traffic detected without corresponding DNS query: 78.187.156.31
Source: unknown	TCP traffic detected without corresponding DNS query: 78.187.156.31
Source: unknown	TCP traffic detected without corresponding DNS query: 78.187.156.31

Source: unknown

Source: Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.2071543930.000000000065F000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.2595522273.000000000065F000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.2353142170.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.156.59.7:8080/4MpJIomdFS/AhgpOuUgBy4aHjgupB/eJJ1yfkvN/
Source: Phoneutil.exe, 00000001.00000003.2071543930.000000000065F000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.2353142170.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.156.59.7:8080/4MpJIomdFS/AhgpOuUgBy4aHjgupB/eJJ1yfkvN/XfvR
Source: Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.156.59.7:8080/4MpJIomdFS/AhgpOuUgBy4aHjgupB/eJJ1yfkvN/qos.dll.mui2
Source: Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.2595522273.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/
Source: Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/3X
Source: Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/J
Source: Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.2595522273.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/L
Source: Phoneutil.exe, 00000001.00000003.2595522273.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/NfdRD
Source: Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.2595522273.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/XfvR
Source: Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/l
Source: Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://120.138.30.150:8080/TtO7iJKw/dmEUHo7CiLr/1HTG6mqcu959EIrb/GBEb45L/fYJUj/
Source: Phoneutil.exe, 00000001.00000003.1830802025.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://134.209.36.254:8080/PSru9ZpnF8/uUf0InRShO48k/IHRU8CZof4tQ4U/3Mr3e/8vRhggsYnHk/
Source: Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://134.209.36.254:8080/PSru9ZpnF8/uUf0InRShO48k/IHRU8CZof4tQ4U/3Mr3e/8vRhggsYnHk/G
Source: Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://134.209.36.254:8080/PSru9ZpnF8/uUf0InRShO48k/IHRU8CZof4tQ4U/3Mr3e/8vRhggsYnHk/rameters
Source: Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.187.133.160:443/Y1pc/
Source: Phoneutil.exe, 00000001.00000003.2595481665.000000000293B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.187.133.160:443/Y1pc/50uw0aihGiY/QQLBkeQEGQ5dK5A/
Source: Phoneutil.exe, 00000001.00000002.3038358005.0000000002930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.187.133.160:443/Y1pc/ad8-9c31255dc46a
Source: Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.187.133.160:443/Y1pc/k
Source: Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://74.208.45.104:8080/1TdWM1Fg1DUOJc/G4zcJgHiN8HgM1c/IsSYYO9RXbHxbgBmWUp/
Source: Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://74.219.172.26/PraWKy0XfLrY2h3/5eggl4Vw/aGVmFbV50uw0aihGiY/QQLBkeQEGQ5dK5A/
Source: Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://74.219.172.26/PraWKy0XfLrY2h3/5eggl4Vw/aGVmFbV50uw0aihGiY/QQLBkeQEGQ5dK5A/3
Source: Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://74.219.172.26/PraWKy0XfLrY2h3/5eggl4Vw/aGVmFbV50uw0aihGiY/QQLBkeQEGQ5dK5A/_
Source: Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://74.219.172.26/PraWKy0XfLrY2h3/5eggl4Vw/aGVmFbV50uw0aihGiY/QQLBkeQEGQ5dK5A/q
Source: Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://78.187.156.31/XvqTjPjgHoDJiEfG1x/fqlli/coXWK0DTo2MOHtU/knVHJI50waML6IMly/0cAOm/
Source: Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://78.187.156.31/XvqTjPjgHoDJiEfG1x/fqlli/coXWK0DTo2MOHtU/knVHJI50waML6IMly/0cAOm/?
Source: Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://78.187.156.31/XvqTjPjgHoDJiEfG1x/fqlli/coXWK0DTo2MOHtU/knVHJI50waML6IMly/0cAOm/X
Source: Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://78.187.156.31/XvqTjPjgHoDJiEfG1x/fqlli/coXWK0DTo2MOHtU/knVHJI50waML6IMly/0cAOm/f8
Source: Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://78.187.156.31/XvqTjPjgHoDJiEfG1x/fqlli/coXWK0DTo2MOHtU/knVHJI50waML6IMly/0cAOm/k
Source: svchost.exe, 00000002.00000002.2516522131.000002295B800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000002.00000003.1203802155.000002295BA18000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000002.00000003.1203802155.000002295BA18000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000002.00000003.1203802155.000002295BA18000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000002.00000003.1203802155.000002295BA4D000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.2.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: svchost.exe, 00000003.00000002.1365020747.000002552DE24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365087195.000002552DE59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000003.00000002.1365056058.000002552DE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364155368.000002552DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364031598.000002552DE6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365122844.000002552DE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365158669.000002552DE70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364313558.000002552DE5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364347295.000002552DE43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000003.00000002.1365140186.000002552DE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364113934.000002552DE67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000003.00000002.1365175140.000002552DE76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363965865.000002552DE74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000003.1364155368.000002552DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365020747.000002552DE24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365122844.000002552DE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364313558.000002552DE5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000003.00000002.1365020747.000002552DE24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365140186.000002552DE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364113934.000002552DE67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000003.00000003.1364155368.000002552DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365020747.000002552DE24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365122844.000002552DE63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000003.00000002.1365020747.000002552DE24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000002.1365056058.000002552DE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364155368.000002552DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365122844.000002552DE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364347295.000002552DE43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000003.00000003.1363948269.000002552DE35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000002.1365020747.000002552DE24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000003.1364155368.000002552DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365122844.000002552DE63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000002.1365056058.000002552DE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364347295.000002552DE43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364211336.000002552DE5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000003.1364379404.000002552DE33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1363948269.000002552DE35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000003.00000002.1365020747.000002552DE24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365140186.000002552DE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364113934.000002552DE67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000002.00000003.1203802155.000002295BAC2000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000002.00000003.1203802155.000002295BAC2000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000002.00000003.1203802155.000002295BAC2000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.2.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: svchost.exe, 00000003.00000003.1364347295.000002552DE43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1364347295.000002552DE43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000003.1364347295.000002552DE43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000003.1364233034.000002552DE5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000002.1365020747.000002552DE24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365087195.000002552DE59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=

Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 00000000.00000002.1169283675.0000000002274000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1169237913.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3037538833.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3037797456.0000000000561000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3037700653.0000000000544000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1169317226.0000000002291000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 00000000.00000002.1169283675.0000000002274000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 00000000.00000002.1169237913.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 00000001.00000002.3037538833.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 00000001.00000002.3037797456.0000000000561000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 00000001.00000002.3037700653.0000000000544000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown

Source: C:\Users\user\Desktop\task1.exe	File created: C:\Windows\SysWOW64\mfc110enu\			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp			Jump to behavior

Source: C:\Users\user\Desktop\task1.exe

File deleted: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe:Zone.Identifier

Jump to behavior

Source: task1.exe, 00000000.00000000.1165258041.000000000041C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDialupwatch.EXEP vs task1.exe
Source: task1.exe	Binary or memory string: OriginalFilenameDialupwatch.EXEP vs task1.exe

Source: task1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 00000000.00000002.1169317226.0000000002291000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 00000000.00000002.1169283675.0000000002274000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 00000000.00000002.1169237913.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 00000001.00000002.3037538833.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 00000001.00000002.3037797456.0000000000561000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 00000001.00000002.3037700653.0000000000544000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13

Source: classification engine

Classification label: mal96.troj.evad.winEXE@12/6@0/9

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:1436:120:WilError_03

Source: task1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\task1.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\task1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: task1.exe	Virustotal: Detection: 93%
Source: task1.exe	ReversingLabs: Detection: 86%

Source: unknown	Process created: C:\Users\user\Desktop\task1.exe "C:\Users\user\Desktop\task1.exe"
Source: C:\Users\user\Desktop\task1.exe	Process created: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe "C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\task1.exe	Process created: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe "C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Users\user\Desktop\task1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: odbc32.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: odbc32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll	Jump to behavior

Source: C:\Users\user\Desktop\task1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\task1.exe

Executable created and started: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe

Jump to behavior

Source: C:\Users\user\Desktop\task1.exe

PE file moved: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\task1.exe

File opened: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\task1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\task1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 7808	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7872	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\task1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: svchost.exe, 00000006.00000002.3037254575.0000019EA0A00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: svchost.exe, 00000006.00000002.3037446356.0000019EA0A55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000002.00000002.2516098945.000002295622B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: svchost.exe, 00000006.00000002.3037572360.0000019EA0A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dules;%$@\??\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000006.00000002.3037572360.0000019EA0A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}h
Source: svchost.exe, 00000006.00000002.3037380145.0000019EA0A29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.1830653440.0000000002966000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.2595481665.000000000293B000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002930000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.1590867066.000000000295A000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.1590893121.0000000002965000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2516590266.000002295B85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.3037254575.0000019EA0A00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000006.00000002.3037540120.0000019EA0A64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000e1}
Source: svchost.exe, 00000006.00000002.3037671589.0000019EA0B02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000006.00000002.3037572360.0000019EA0A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}er

Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\task1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 00000007.00000002.3038018799.00000154E0102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000007.00000002.3038018799.00000154E0102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 00000000.00000002.1169283675.0000000002274000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1169237913.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3037538833.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3037797456.0000000000561000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3037700653.0000000000544000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	12 Masquerading	OS Credential Dumping	41 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
task1.exe	93%	Virustotal		Browse
task1.exe	87%	ReversingLabs	Win32.Trojan.Emotet
task1.exe	100%	Avira	HEUR/AGEN.1344145

Source	Detection	Scanner	Label
http://120.138.30.150:8080/TtO7iJKw/dmEUHo7CiLr/1HTG6mqcu959EIrb/GBEb45L/fYJUj/	0%	Avira URL Cloud	safe
http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/NfdRD	0%	Avira URL Cloud	safe
http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/XfvR	0%	Avira URL Cloud	safe
http://74.219.172.26/PraWKy0XfLrY2h3/5eggl4Vw/aGVmFbV50uw0aihGiY/QQLBkeQEGQ5dK5A/_	0%	Avira URL Cloud	safe
http://104.156.59.7:8080/4MpJIomdFS/AhgpOuUgBy4aHjgupB/eJJ1yfkvN/	0%	Avira URL Cloud	safe
http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/L	0%	Avira URL Cloud	safe
http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/	0%	Avira URL Cloud	safe
http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/J	0%	Avira URL Cloud	safe
http://194.187.133.160:443/Y1pc/k	0%	Avira URL Cloud	safe
http://104.156.59.7:8080/4MpJIomdFS/AhgpOuUgBy4aHjgupB/eJJ1yfkvN/qos.dll.mui2	0%	Avira URL Cloud	safe
http://134.209.36.254:8080/PSru9ZpnF8/uUf0InRShO48k/IHRU8CZof4tQ4U/3Mr3e/8vRhggsYnHk/G	0%	Avira URL Cloud	safe
http://78.187.156.31/XvqTjPjgHoDJiEfG1x/fqlli/coXWK0DTo2MOHtU/knVHJI50waML6IMly/0cAOm/f8	0%	Avira URL Cloud	safe
http://194.187.133.160:443/Y1pc/ad8-9c31255dc46a	0%	Avira URL Cloud	safe
https://194.187.133.160:443/Y1pc/	0%	Avira URL Cloud	safe
http://104.156.59.7:8080/4MpJIomdFS/AhgpOuUgBy4aHjgupB/eJJ1yfkvN/XfvR	0%	Avira URL Cloud	safe
http://78.187.156.31/XvqTjPjgHoDJiEfG1x/fqlli/coXWK0DTo2MOHtU/knVHJI50waML6IMly/0cAOm/X	0%	Avira URL Cloud	safe
http://78.187.156.31/XvqTjPjgHoDJiEfG1x/fqlli/coXWK0DTo2MOHtU/knVHJI50waML6IMly/0cAOm/?	0%	Avira URL Cloud	safe
http://74.219.172.26/PraWKy0XfLrY2h3/5eggl4Vw/aGVmFbV50uw0aihGiY/QQLBkeQEGQ5dK5A/3	0%	Avira URL Cloud	safe
http://194.187.133.160:443/Y1pc/	0%	Avira URL Cloud	safe
http://74.219.172.26/PraWKy0XfLrY2h3/5eggl4Vw/aGVmFbV50uw0aihGiY/QQLBkeQEGQ5dK5A/	0%	Avira URL Cloud	safe
http://134.209.36.254:8080/PSru9ZpnF8/uUf0InRShO48k/IHRU8CZof4tQ4U/3Mr3e/8vRhggsYnHk/rameters	0%	Avira URL Cloud	safe
http://74.208.45.104:8080/1TdWM1Fg1DUOJc/G4zcJgHiN8HgM1c/IsSYYO9RXbHxbgBmWUp/	0%	Avira URL Cloud	safe
http://74.219.172.26/PraWKy0XfLrY2h3/5eggl4Vw/aGVmFbV50uw0aihGiY/QQLBkeQEGQ5dK5A/q	0%	Avira URL Cloud	safe
http://78.187.156.31/XvqTjPjgHoDJiEfG1x/fqlli/coXWK0DTo2MOHtU/knVHJI50waML6IMly/0cAOm/	0%	Avira URL Cloud	safe
http://78.187.156.31/XvqTjPjgHoDJiEfG1x/fqlli/coXWK0DTo2MOHtU/knVHJI50waML6IMly/0cAOm/k	0%	Avira URL Cloud	safe
http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/3X	0%	Avira URL Cloud	safe
http://134.209.36.254:8080/PSru9ZpnF8/uUf0InRShO48k/IHRU8CZof4tQ4U/3Mr3e/8vRhggsYnHk/	0%	Avira URL Cloud	safe
http://194.187.133.160:443/Y1pc/50uw0aihGiY/QQLBkeQEGQ5dK5A/	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
https://194.187.133.160:443/Y1pc/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://120.138.30.150:8080/TtO7iJKw/dmEUHo7CiLr/1HTG6mqcu959EIrb/GBEb45L/fYJUj/	Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000003.00000002.1365140186.000002552DE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364113934.000002552DE67000.00000004.00000020.00020000.00000000.sdmp	false		high
http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/NfdRD	Phoneutil.exe, 00000001.00000003.2595522273.000000000065F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000003.00000003.1364347295.000002552DE43000.00000004.00000020.00020000.00000000.sdmp	false		high
http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/XfvR	Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.2595522273.000000000065F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://74.219.172.26/PraWKy0XfLrY2h3/5eggl4Vw/aGVmFbV50uw0aihGiY/QQLBkeQEGQ5dK5A/_	Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://104.156.59.7:8080/4MpJIomdFS/AhgpOuUgBy4aHjgupB/eJJ1yfkvN/	Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.2071543930.000000000065F000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.2595522273.000000000065F000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.2353142170.000000000065F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.2.dr, qmgr.db.2.dr	false		high
http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/J	Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://194.187.133.160:443/Y1pc/k	Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/L	Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.2595522273.000000000065F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/	Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.2595522273.000000000065F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://104.156.59.7:8080/4MpJIomdFS/AhgpOuUgBy4aHjgupB/eJJ1yfkvN/qos.dll.mui2	Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000003.00000002.1365056058.000002552DE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364155368.000002552DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364031598.000002552DE6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365122844.000002552DE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365158669.000002552DE70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364313558.000002552DE5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364347295.000002552DE43000.00000004.00000020.00020000.00000000.sdmp	false		high
http://134.209.36.254:8080/PSru9ZpnF8/uUf0InRShO48k/IHRU8CZof4tQ4U/3Mr3e/8vRhggsYnHk/G	Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod.C:	edb.log.2.dr, qmgr.db.2.dr	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000003.00000002.1365020747.000002552DE24000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2	edb.log.2.dr, qmgr.db.2.dr	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000003.00000002.1365020747.000002552DE24000.00000004.00000020.00020000.00000000.sdmp	false		high
http://78.187.156.31/XvqTjPjgHoDJiEfG1x/fqlli/coXWK0DTo2MOHtU/knVHJI50waML6IMly/0cAOm/X	Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://194.187.133.160:443/Y1pc/	Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://78.187.156.31/XvqTjPjgHoDJiEfG1x/fqlli/coXWK0DTo2MOHtU/knVHJI50waML6IMly/0cAOm/?	Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://104.156.59.7:8080/4MpJIomdFS/AhgpOuUgBy4aHjgupB/eJJ1yfkvN/XfvR	Phoneutil.exe, 00000001.00000003.2071543930.000000000065F000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000003.2353142170.000000000065F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://194.187.133.160:443/Y1pc/ad8-9c31255dc46a	Phoneutil.exe, 00000001.00000002.3038358005.0000000002930000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://78.187.156.31/XvqTjPjgHoDJiEfG1x/fqlli/coXWK0DTo2MOHtU/knVHJI50waML6IMly/0cAOm/f8	Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bingmapsportal.com	svchost.exe, 00000003.00000002.1365020747.000002552DE24000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000003.00000003.1364155368.000002552DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365020747.000002552DE24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365122844.000002552DE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364313558.000002552DE5A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://74.219.172.26/PraWKy0XfLrY2h3/5eggl4Vw/aGVmFbV50uw0aihGiY/QQLBkeQEGQ5dK5A/3	Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000002.00000003.1203802155.000002295BAC2000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr, qmgr.db.2.dr	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000003.00000002.1365020747.000002552DE24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365140186.000002552DE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364113934.000002552DE67000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000003.00000003.1364233034.000002552DE5D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000003.00000002.1365175140.000002552DE76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363965865.000002552DE74000.00000004.00000020.00020000.00000000.sdmp	false		high
http://74.219.172.26/PraWKy0XfLrY2h3/5eggl4Vw/aGVmFbV50uw0aihGiY/QQLBkeQEGQ5dK5A/	Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000003.00000002.1365020747.000002552DE24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365140186.000002552DE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364113934.000002552DE67000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000003.00000003.1364155368.000002552DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365020747.000002552DE24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365122844.000002552DE63000.00000004.00000020.00020000.00000000.sdmp	false		high
http://134.209.36.254:8080/PSru9ZpnF8/uUf0InRShO48k/IHRU8CZof4tQ4U/3Mr3e/8vRhggsYnHk/rameters	Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000003.00000003.1364347295.000002552DE43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 00000003.00000002.1365056058.000002552DE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364347295.000002552DE43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364211336.000002552DE5E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000002.00000002.2516522131.000002295B800000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000003.00000002.1365056058.000002552DE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364155368.000002552DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365122844.000002552DE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364347295.000002552DE43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000003.00000003.1364347295.000002552DE43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000003.00000003.1363948269.000002552DE35000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	false		high
http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/3X	Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365087195.000002552DE59000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	false		high
http://74.208.45.104:8080/1TdWM1Fg1DUOJc/G4zcJgHiN8HgM1c/IsSYYO9RXbHxbgBmWUp/	Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://78.187.156.31/XvqTjPjgHoDJiEfG1x/fqlli/coXWK0DTo2MOHtU/knVHJI50waML6IMly/0cAOm/k	Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://134.209.36.254:8080/PSru9ZpnF8/uUf0InRShO48k/IHRU8CZof4tQ4U/3Mr3e/8vRhggsYnHk/	Phoneutil.exe, 00000001.00000003.1830802025.000000000065F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://78.187.156.31/XvqTjPjgHoDJiEfG1x/fqlli/coXWK0DTo2MOHtU/knVHJI50waML6IMly/0cAOm/	Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000003.00000002.1365020747.000002552DE24000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.t	svchost.exe, 00000003.00000003.1364379404.000002552DE33000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000002.00000003.1203802155.000002295BAC2000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	false		high
http://194.187.133.160:443/Y1pc/50uw0aihGiY/QQLBkeQEGQ5dK5A/	Phoneutil.exe, 00000001.00000003.2595481665.000000000293B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365087195.000002552DE59000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000003.00000003.1364155368.000002552DE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365122844.000002552DE63000.00000004.00000020.00020000.00000000.sdmp	false		high
http://104.236.246.93:8080/NoX8/nA3NbJrYfWeYnk/O7oSRrY5VkVRcwq3/l	Phoneutil.exe, 00000001.00000003.2595481665.0000000002952000.00000004.00000020.00020000.00000000.sdmp, Phoneutil.exe, 00000001.00000002.3038358005.0000000002952000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://74.219.172.26/PraWKy0XfLrY2h3/5eggl4Vw/aGVmFbV50uw0aihGiY/QQLBkeQEGQ5dK5A/q	Phoneutil.exe, 00000001.00000002.3037868279.000000000058E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000003.00000003.1364250688.000002552DE58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000003.00000003.1363948269.000002552DE35000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
74.208.45.104	unknown	United States	8560	ONEANDONE-ASBrauerstrasse48DE	false
104.156.59.7	unknown	United States	29802	HVC-ASUS	false
104.236.246.93	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
120.138.30.150	unknown	New Zealand	45179	SITEHOST-AS-APSiteHostNewZealandNZ	false
78.187.156.31	unknown	Turkey	9121	TTNETTR	false
74.219.172.26	unknown	United States	5787	SNAPONSBSUS	false
194.187.133.160	unknown	Bulgaria	13124	IBGCBG	true
134.209.36.254	unknown	United States	14061	DIGITALOCEAN-ASNUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1645426
Start date and time:	2025-03-21 18:37:29 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	task1.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@12/6@0/9
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 184.31.69.3, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74.208.45.104	ExeFile (360).exe	Get hash	malicious	Emotet	Browse	74.208.45.104:8080/ejCfJvV1/kxVOd5S1eQMg5w/THuO0hNhX41BMsZAJU/
	ExeFile (171).exe	Get hash	malicious	Emotet	Browse	74.208.45.104:8080/ALHMRa7xicKFbwhA/HWuLqz/cMnHtcll/bM8JHrn3ZedwY/2TCs/
	LisectAVT_2403002B_302.exe	Get hash	malicious	Bdaejec, Emotet	Browse	74.208.45.104:8080/jVE55GR1H8h6Yyd/p9OBh8mJyrX3QNpHWY/
104.156.59.7	ExeFile (360).exe	Get hash	malicious	Emotet	Browse	104.156.59.7:8080/FLhkn5FxBNj/8yJJGMkkOjbevD3VkJc/chiAEdV6SWHfxYU9F5L/ueCJ8/
104.236.246.93	ExeFile (360).exe	Get hash	malicious	Emotet	Browse	104.236.246.93:8080/k8c81KX7QFFfrFTdR/7RU5TsLAyuI8jjWiQtR/
	ExeFile (226).exe	Get hash	malicious	Emotet	Browse	104.236.246.93:8080/9FGnVHN1/
	ExeFile (106).exe	Get hash	malicious	Emotet	Browse	104.236.246.93:8080/i8R0R9KvvlHBj/k4b2PKkjbuti0/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ONEANDONE-ASBrauerstrasse48DE	wjfOfXh.exe1.exe	Get hash	malicious	Unknown	Browse	212.227.64.208
	Payment-Advice-0003003998e009-PDF.exe	Get hash	malicious	FormBook	Browse	217.160.0.135
	RFQ - MAWARIS-025.js	Get hash	malicious	FormBook	Browse	74.208.236.36
	FG_ShippingNotice_20250310_XDGF.exe	Get hash	malicious	FormBook	Browse	217.160.0.135
	nabm68k.elf	Get hash	malicious	Unknown	Browse	217.174.240.153
	Open-Bonida Unterlagen Schweiz.pdf.lnk	Get hash	malicious	GuLoader	Browse	217.160.0.213
	ICSCertifikat153609921.exe	Get hash	malicious	FormBook	Browse	217.160.0.250
	Certifikat_153600814.exe	Get hash	malicious	FormBook	Browse	217.160.0.250
	https://www.villanaxamena.com	Get hash	malicious	Unknown	Browse	217.160.0.211
HVC-ASUS	wjfOfXh.exe1.exe	Get hash	malicious	Unknown	Browse	194.126.173.158
	awb_dhl_Express_documents_delivery_20_03_2025_0000000-pdf.bat	Get hash	malicious	Batch Injector	Browse	206.123.152.100
	resgod.arm7.elf	Get hash	malicious	Mirai	Browse	46.21.151.161
	z93awb_DHL_Expr.bat	Get hash	malicious	Batch Injector, XWorm	Browse	206.123.152.104
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=r3yI_dSxOEiPJ_sFtWv0u-et2ubyS_1IvjO44TlrG4RUNU4xQUtYREpWQVhXSzJWUVMxMkwySkhRUS4u	Get hash	malicious	HTMLPhisher	Browse	23.227.199.49
	ProctorU.1.30.win.07.exe	Get hash	malicious	Unknown	Browse	66.165.234.62
	ProctorU.1.30.win.07.exe	Get hash	malicious	Unknown	Browse	66.165.234.62
DIGITALOCEAN-ASNUS	wjfOfXh.exe1.exe	Get hash	malicious	Unknown	Browse	134.209.224.96
	ht-jupit.elf	Get hash	malicious	Poseidon	Browse	142.93.165.203
	ulinux-logs.elf	Get hash	malicious	Poseidon	Browse	161.35.85.95
	http://t.dripemail2.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzQyNDg1MjAxLCJuYmYiOjE3NDI0ODUyMDEsImFjY291bnRfaWQiOiI5MjExNzMxIiwiZGVsaXZlcnlfaWQiOiI2ZGY2cmIydXVwbjY4cnNhdWo0NCIsInRva2VuIjoiNmRmNnJiMnV1cG42OHJzYXVqNDQiLCJzZW5kX2F0IjoxNzQyNDgzOTQ4LCJlbWFpbF9pZCI6MTA1MDc4ODcsImVtYWlsYWJsZV90eXBlIjoiQnJvYWRjYXN0IiwiZW1haWxhYmxlX2lkIjo0MTkzMDc4LCJ1cmwiOiJodHRwOi8vZ2NyLnVwcGxleC5jby5rZT9fX3M9cWMwZ2JsdTk1emZnYmh3ZHp5OG4mdXRtX3NvdXJjZT1kcmlwJnV0bV9tZWRpdW09ZW1haWwmdXRtX2NhbXBhaWduPVdlK2dvdCthK21ha2VvdmVyLiJ9.nJ9tzd3-jhbWgSNwRLHamHKYwZXuNcZIG2E1QBFM5fg	Get hash	malicious	HTMLPhisher	Browse	162.243.170.173
	resgod.arm.elf	Get hash	malicious	Mirai	Browse	46.101.242.253
	resgod.mips.elf	Get hash	malicious	Mirai	Browse	134.209.166.100
	message_v2.zip	Get hash	malicious	Unknown	Browse	157.245.72.142
	i686.elf	Get hash	malicious	Mirai	Browse	157.230.180.187
	i486.elf	Get hash	malicious	Mirai	Browse	165.227.55.112
TTNETTR	Payment Confirmation pdf.pif.exe	Get hash	malicious	XWorm	Browse	88.255.216.16
	resgod.m68k.elf	Get hash	malicious	Mirai	Browse	78.166.117.141
	hoho.m68k.elf	Get hash	malicious	Unknown	Browse	81.213.113.140
	hoho.sh4.elf	Get hash	malicious	Unknown	Browse	85.108.147.91
	Nyx4r.ppc.elf	Get hash	malicious	Okiru	Browse	88.242.96.225
	yarn.elf	Get hash	malicious	Unknown	Browse	78.178.77.147
	sshd	Get hash	malicious	Unknown	Browse	78.166.135.183
	jkse.arm.elf	Get hash	malicious	Unknown	Browse	78.172.128.125
	jkse.mips.elf	Get hash	malicious	Unknown	Browse	88.255.23.158
SITEHOST-AS-APSiteHostNewZealandNZ	http://novacola.co.nz/	Get hash	malicious	Unknown	Browse	103.250.232.121
	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	103.197.54.248
	ExeFile (317).exe	Get hash	malicious	Emotet	Browse	120.138.30.150
	ExeFile (360).exe	Get hash	malicious	Emotet	Browse	120.138.30.150
	ExeFile (356).exe	Get hash	malicious	Emotet	Browse	120.138.30.150
	ExeFile (196).exe	Get hash	malicious	Emotet	Browse	120.138.30.150
	7j5Y0VWRZH.elf	Get hash	malicious	Mirai	Browse	223.165.64.29

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.363788168458258
Encrypted:	false
SSDEEP:	6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
MD5:	0E72F896C84F1457C62C0E20338FAC0D
SHA1:	9C071CC3D15E5BD8BF603391AE447202BD9F8537
SHA-256:	686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
SHA-512:	AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3108010974877788
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrb:KooCEYhgYEL0In
MD5:	38AB81BA5F250686ABD1F5EF6D62C761
SHA1:	572C24B55135257284021551389DAD9582FA0FA1
SHA-256:	38F7210CCA6CE3D7C063849F9CF9DF36681EB211D8B21BCA448A6D1DA477E0EA
SHA-512:	008EAE656738E2DB46FB52636569C5A48D5623E464FE921C7A36491167C340C39B1900E28250470C2DA67C4D68AB8F8FE142AF376B47134CF0EFCC21C30155ED
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x5c342e25, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42221816916691596
Encrypted:	false
SSDEEP:	1536:3SB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:3azag03A2UrzJDO
MD5:	B69FF28EAA750526543C4E559ECEB993
SHA1:	BACEBF6F2C14571840B4525C7EE1BEB4C2FD363C
SHA-256:	E34D2765E38E5C56F2AB0F1B72A3EDD284F5C912333239126CBD8771FFD6786C
SHA-512:	F170DF8D0E04F5E08F1A948A2DFD6A47C3A6DB7867B0CE446498F095B8A8E2E15842789E5A412DB9FA2EBFF4C7E201C53B2D493D663CE757202E4214896AB5BE
Malicious:	false
Preview:	\4.%... .......Y.......X\...;...{......................n.%.....'(...}...&...}..h.#.....'(...}..n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{......................................'(...}..................g.W'(...}...........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07973565865984586
Encrypted:	false
SSDEEP:	3:WzPmlltOetYeOtmTwmRl//WJoYSjVZbT/Z/l/UOJIl//ollOE/tlnl+/rTc:Wjm1rzaI+JoxZbLBlDYApMP
MD5:	04D21411F2C7F924FD37A9FA7271D3C6
SHA1:	C06C5936B86D6BA5D1B5630C1C083CB2021EFB0C
SHA-256:	A914EB156013FB766A517DA4A476E7212FFD69A3F04D00A71F96553EFD45DA99
SHA-512:	D9073DEF0461C656E616468AB44874FC5CDEC3F0D46733CFEACAC4A1CF1E28F23C76FAC75704FC6765FDBC1E685D0F04AE54295DA8F9B2716A50C156076264AD
Malicious:	false
Preview:	.........................................;...{...&...}..'(...}..........'(...}..'(...}..:..<'(...}...................g.W'(...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	7388
Entropy (8bit):	3.241685106263244
Encrypted:	false
SSDEEP:	96:cEi+AAsoJjykzEJ+AAsoJjykHEz+AAsoJjykJ:cN+SoJbO+SoJvo+SoJB
MD5:	B8692765CEAEC2D313ADA3C3BF526249
SHA1:	725651D048A77B09E59444A4EAD746E23E8CBCD0
SHA-256:	CF21137069F03E61E202666665C4A20E13CA2C9FD2B6BD32F8CA93A5E97FC094
SHA-512:	1C5E4FC34D3EF0BCFF579D19A36E2B29DD9309C2E7005044BA9374D976D6D1CD637E389659359224E9645C9B1D7CCE6D5B12A0BF12273C4D70C6CB43768D21CB
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. O.c.t. .. 0.4. .. 2.0.2.3. .1.2.:.0.3.:.4.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.618160178953395
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	task1.exe
File size:	192'512 bytes
MD5:	2ba73d2d47cf2d388446b781613b7eff
SHA1:	c75c7eb4814835388881d1b4c2db67e64a023e1e
SHA256:	06c6442d5bb110140ac1cdbcf1be52388441b9a0750d59b743acc6b52d19582b
SHA512:	667ddc16765d8c3c3596bb734174862db1f2ac24037c361a2e37ec9824c35a8926728400025d62c62c361b1b1e1a9d1e3b4c38c2c5989eee832e083481e50caa
SSDEEP:	3072:0O7Mn+0UNzRqN7GZDA62KrcNaQV/7T9kSjkltZJmHcPz6HEJE:kUGJeD8HVOSqBmHbk
TLSH:	9F14AE85F9D641F5D63A223204AF77729635ED7A4F21C7D7A394EE2D183608098333AE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N..P/m.P/m.P/m.20~.^/m..3c.Q/m..0g.[/m.P/l.7-m..3o.A/m.P/m._/m..0f.D/m..)k.Q/m..0i.W/m.RichP/m.........................PE..L..

File Icon


Icon Hash:	0715150763697373

Static PE Info

General

Entrypoint:	0x412496
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x5F61EF7F [Wed Sep 16 10:57:03 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	83979e8c69e0e822b76e7d828bc42612

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00416028h
push 00412628h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [004147BCh]
pop ecx
or dword ptr [0041BF48h], FFFFFFFFh
or dword ptr [0041BF4Ch], FFFFFFFFh
call dword ptr [004147B8h]
mov ecx, dword ptr [0041BF3Ch]
mov dword ptr [eax], ecx
call dword ptr [004147B4h]
mov ecx, dword ptr [0041BF38h]
mov dword ptr [eax], ecx
mov eax, dword ptr [004147B0h]
mov eax, dword ptr [eax]
mov dword ptr [0041BF44h], eax
call 00007F00107C4E07h
cmp dword ptr [0041AD18h], ebx
jne 00007F00107C4CEEh
push 00412624h
call dword ptr [004147ACh]
pop ecx
call 00007F00107C4DD9h
push 0041A070h
push 0041A06Ch
call 00007F00107C4DC4h
mov eax, dword ptr [0041BF34h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0041BF30h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [004147A4h]
push 0041A068h
push 0041A000h
call 00007F00107C4D91h

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[IMP] VS97 (5.0) SP3 link 5.10.7303
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x192b0	0x66	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17990	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x13468	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x14000	0x97c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1296e	0x13000	a73251b14c77d36acc984f7722d13962	False	0.4713584498355263	data	6.12418782292168	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x14000	0x5316	0x6000	08df296ba9360e6b1157f62ebf300dfe	False	0.2734375	data	4.480454858815612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a000	0x1f50	0x1000	34551e1bb3e87ed33fbb0e8be9c11f26	False	0.43798828125	data	4.799428408814517	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1c000	0x13468	0x14000	4b417cb278888c776d192562038260ae	False	0.81585693359375	data	7.263495041839065	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x2ca78	0x1d0	Device independent bitmap graphic, 48 x 15 x 4, image size 360	English	United States	0.44612068965517243
RT_ICON	0x1c8d0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.31989247311827956
RT_ICON	0x1cbd0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320			0.3208092485549133
RT_ICON	0x1d150	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320			0.3872832369942196
RT_ICON	0x2c208	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.31989247311827956
RT_ICON	0x2c4f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5135135135135135
RT_ICON	0x2c640	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.2540322580645161
RT_ICON	0x2c928	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.4560810810810811
RT_ICON	0x2d1f0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	French	France	0.5295698924731183
RT_ICON	0x2d800	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Italian	Italy	0.3312274368231047
RT_MENU	0x2cc58	0xd0	data	English	United States	0.6826923076923077
RT_MENU	0x2d4f0	0x4e	data	French	France	0.9230769230769231
RT_DIALOG	0x2cd98	0x13e	data	English	United States	0.6194968553459119
RT_DIALOG	0x2d540	0x2bc	data	French	France	0.48857142857142855
RT_STRING	0x2e1d8	0x34	data	English	United States	0.5769230769230769
RT_STRING	0x2e0c0	0x112	data	English	United States	0.48175182481751827
RT_STRING	0x2f308	0xd6	data	English	United States	0.5
RT_STRING	0x2f3e0	0x84	data	French	France	0.5
RT_STRING	0x2e210	0x40	data	English	United States	0.671875
RT_STRING	0x2e298	0x296	data	English	United States	0.3323262839879154
RT_STRING	0x2e638	0x260	data	English	United States	0.0805921052631579
RT_STRING	0x2e9e8	0x328	data	English	United States	0.34405940594059403
RT_STRING	0x2e978	0x70	data	English	United States	0.625
RT_STRING	0x2e530	0x106	data	English	United States	0.5763358778625954
RT_STRING	0x2e898	0xda	data	English	United States	0.43119266055045874
RT_STRING	0x2e250	0x46	data	English	United States	0.7428571428571429
RT_STRING	0x2ed10	0xf6	data	English	United States	0.47560975609756095
RT_STRING	0x2f0f8	0x210	data	English	United States	0.3977272727272727
RT_STRING	0x2ee08	0x1f8	data	English	United States	0.36706349206349204
RT_STRING	0x2f000	0x86	data	English	United States	0.6567164179104478
RT_STRING	0x2f088	0x6e	data	English	United States	0.6181818181818182
RT_ACCELERATOR	0x2cd28	0x70	data	English	United States	0.6785714285714286
RT_GROUP_ICON	0x2c618	0x22	data	English	United States	1.0294117647058822
RT_GROUP_ICON	0x2ca50	0x22	data	English	United States	1.0588235294117647
RT_GROUP_ICON	0x2d4d8	0x14	data	French	France	1.25
RT_GROUP_ICON	0x2e0a8	0x14	data	Italian	Italy	1.25
RT_GROUP_ICON	0x1cbb8	0x14	data			1.2
RT_GROUP_ICON	0x1d6b8	0x14	data			1.25
RT_GROUP_ICON	0x1d138	0x14	data			1.25
RT_VERSION	0x2ced8	0x314	data	English	United States	0.44543147208121825
None	0x1d6d0	0xeb33	data			1.0004318147846738
None	0x2cc48	0xe	data	English	United States	1.5714285714285714

Imports

DLL	Import
ODBC32.dll
MFC42.DLL
MSVCRT.dll	_onexit, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _setmbcp, __dllonexit, sprintf, _access, __CxxFrameHandler, malloc, atoi, strrchr, free, _mbsstr, _mbscmp, memmove, wcslen, _ftol, sscanf, _CxxThrowException, _EH_prolog, ??1type_info@@UAE@XZ, _controlfp
KERNEL32.dll	GetModuleHandleA, GetSystemDirectoryA, CreateFileA, GetFileSize, CloseHandle, MoveFileExA, LocalAlloc, LocalLock, LocalUnlock, GetModuleHandleW, GetLocalTime, GetProcAddress, LoadLibraryA, FreeLibrary, lstrcpynA, MultiByteToWideChar, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, GetCurrentThreadId, SetLastError, FindResourceA, LoadResource, LockResource, MulDiv, GetLastError, FormatMessageA, LocalFree, GetVersion, GetVersionExA, GetModuleFileNameA, FreeConsole, CopyFileA, GetStartupInfoA
USER32.dll	IsWindow, SendMessageA, TrackPopupMenu, PostMessageA, SetMenuDefaultItem, KillTimer, SetTimer, CallNextHookEx, GetClassNameA, SetPropA, GetDCEx, GetPropA, RemovePropA, UnhookWindowsHookEx, SetWindowsHookExA, GetParent, GetWindowDC, ReleaseDC, IntersectRect, IsRectEmpty, DestroyIcon, DrawMenuBar, GetMenuState, wsprintfA, CallWindowProcA, GetCursorPos, GetMenuStringA, CreateMenu, CreatePopupMenu, GetDesktopWindow, LoadBitmapA, ModifyMenuA, InsertMenuA, LoadIconA, EnableWindow, GetClientRect, SetWindowLongA, AppendMenuA, DrawEdge, SetRect, FillRect, DrawFocusRect, GetMessagePos, DrawStateA, GetSystemMetrics, InflateRect, GetSysColor, GetMenuItemCount, GetSubMenu, GetMenuItemID, GetMenuItemInfoA, IsMenu, GetMenu, WindowFromDC, CopyRect, OffsetRect, SystemParametersInfoA, MessageBoxA, GetWindowRect, GetClassInfoA, RemoveMenu, UpdateWindow, ShowWindow, FindWindowA, SetForegroundWindow, GetWindowLongA, GetSystemMenu
GDI32.dll	BitBlt, GetPixel, CreateCompatibleDC, CreateCompatibleBitmap, SetPixel, Rectangle, CreateFontIndirectA, CreateSolidBrush, CreateFontA, GetTextExtentPoint32A, RoundRect
ADVAPI32.dll	RegCreateKeyA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA, RegCloseKey, CryptAcquireContextA, RegConnectRegistryA, QueryServiceStatus, OpenSCManagerA, OpenServiceA, CloseServiceHandle
SHELL32.dll	SHGetMalloc, Shell_NotifyIconA
COMCTL32.dll	ImageList_Draw, ImageList_GetIconSize, ImageList_GetIcon, ImageList_AddMasked, ImageList_SetBkColor, ImageList_ReplaceIcon
ole32.dll	CoUninitialize, CoInitialize, CoCreateInstance
MSVCP60.dll	??1_Winit@std@@QAE@XZ, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z, ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB, ??0_Winit@std@@QAE@XZ, ?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB, ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z, ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z, ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z, ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z, ??0Init@ios_base@std@@QAE@XZ, ??1Init@ios_base@std@@QAE@XZ
MSIMG32.dll	GradientFill

Exports

Name	Ordinal	Address
SDASQFddefgshdSSSgfdtEghfIITFDSSSSS	1	0x403660

Version Infos

Description	Data
CompanyName
FileDescription	Dialupwatch MFC Application
FileVersion	1, 0, 0, 1
InternalName	Dialupwatch
LegalCopyright	Copyright (C) 2002
LegalTrademarks
OriginalFilename	Dialupwatch.EXE
ProductName	Dialupwatch Application
ProductVersion	1, 0, 0, 1
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
French	France
Italian	Italy

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-21T18:38:20.277675+0100	2030868	ET MALWARE Win32/Emotet CnC Activity (POST) M10	1	192.168.2.4	49735	194.187.133.160	443	TCP

Network Port Distribution

Total Packets: 39
• 8080 undefined
• 443 (HTTPS)
• 80 (HTTP)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2025 18:38:43.554848909 CET	49728	80	192.168.2.4	74.219.172.26
Mar 21, 2025 18:38:44.558902979 CET	49728	80	192.168.2.4	74.219.172.26
Mar 21, 2025 18:38:46.558944941 CET	49728	80	192.168.2.4	74.219.172.26
Mar 21, 2025 18:38:50.574570894 CET	49728	80	192.168.2.4	74.219.172.26
Mar 21, 2025 18:38:58.590194941 CET	49728	80	192.168.2.4	74.219.172.26
Mar 21, 2025 18:39:08.529316902 CET	49729	8080	192.168.2.4	134.209.36.254
Mar 21, 2025 18:39:09.527702093 CET	49729	8080	192.168.2.4	134.209.36.254
Mar 21, 2025 18:39:11.527950048 CET	49729	8080	192.168.2.4	134.209.36.254
Mar 21, 2025 18:39:15.527832031 CET	49729	8080	192.168.2.4	134.209.36.254
Mar 21, 2025 18:39:23.527738094 CET	49729	8080	192.168.2.4	134.209.36.254
Mar 21, 2025 18:39:32.520080090 CET	49732	8080	192.168.2.4	104.156.59.7
Mar 21, 2025 18:39:33.527879000 CET	49732	8080	192.168.2.4	104.156.59.7
Mar 21, 2025 18:39:35.527998924 CET	49732	8080	192.168.2.4	104.156.59.7
Mar 21, 2025 18:39:39.527822018 CET	49732	8080	192.168.2.4	104.156.59.7
Mar 21, 2025 18:39:47.543437958 CET	49732	8080	192.168.2.4	104.156.59.7
Mar 21, 2025 18:39:56.591527939 CET	49734	8080	192.168.2.4	120.138.30.150
Mar 21, 2025 18:39:57.590361118 CET	49734	8080	192.168.2.4	120.138.30.150
Mar 21, 2025 18:39:59.606004953 CET	49734	8080	192.168.2.4	120.138.30.150
Mar 21, 2025 18:40:03.605967045 CET	49734	8080	192.168.2.4	120.138.30.150
Mar 21, 2025 18:40:11.605880022 CET	49734	8080	192.168.2.4	120.138.30.150
Mar 21, 2025 18:40:20.732009888 CET	49735	443	192.168.2.4	194.187.133.160
Mar 21, 2025 18:40:20.732109070 CET	443	49735	194.187.133.160	192.168.2.4
Mar 21, 2025 18:40:20.732214928 CET	49735	443	192.168.2.4	194.187.133.160
Mar 21, 2025 18:40:20.734124899 CET	49735	443	192.168.2.4	194.187.133.160
Mar 21, 2025 18:40:20.734162092 CET	443	49735	194.187.133.160	192.168.2.4
Mar 21, 2025 18:40:20.734210014 CET	49735	443	192.168.2.4	194.187.133.160
Mar 21, 2025 18:40:20.734227896 CET	443	49735	194.187.133.160	192.168.2.4
Mar 21, 2025 18:40:20.734263897 CET	443	49735	194.187.133.160	192.168.2.4
Mar 21, 2025 18:40:24.756270885 CET	49736	8080	192.168.2.4	104.236.246.93
Mar 21, 2025 18:40:25.762115002 CET	49736	8080	192.168.2.4	104.236.246.93
Mar 21, 2025 18:40:27.762051105 CET	49736	8080	192.168.2.4	104.236.246.93
Mar 21, 2025 18:40:31.762007952 CET	49736	8080	192.168.2.4	104.236.246.93
Mar 21, 2025 18:40:39.761979103 CET	49736	8080	192.168.2.4	104.236.246.93
Mar 21, 2025 18:40:48.989140987 CET	49737	8080	192.168.2.4	74.208.45.104
Mar 21, 2025 18:40:49.996191978 CET	49737	8080	192.168.2.4	74.208.45.104
Mar 21, 2025 18:40:52.011794090 CET	49737	8080	192.168.2.4	74.208.45.104
Mar 21, 2025 18:40:56.027335882 CET	49737	8080	192.168.2.4	74.208.45.104
Mar 21, 2025 18:41:04.042933941 CET	49737	8080	192.168.2.4	74.208.45.104
Mar 21, 2025 18:41:13.469537973 CET	49738	80	192.168.2.4	78.187.156.31
Mar 21, 2025 18:41:14.480412006 CET	49738	80	192.168.2.4	78.187.156.31
Mar 21, 2025 18:41:16.480343103 CET	49738	80	192.168.2.4	78.187.156.31
Mar 21, 2025 18:41:20.480381012 CET	49738	80	192.168.2.4	78.187.156.31
Mar 21, 2025 18:41:28.495866060 CET	49738	80	192.168.2.4	78.187.156.31

HTTP Request Dependency Graph

194.187.133.160

194.187.133.160:443

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	194.187.133.160	443	7648	C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe

Timestamp	Bytes transferred	Direction	Data
Mar 21, 2025 18:40:20.734124899 CET	494	OUT	POST /Y1pc/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 194.187.133.160/Y1pc/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=--------oVoFEuGE Host: 194.187.133.160:443 Content-Length: 5988 Cache-Control: no-cache

Statistics

CPU Usage

• task1.exe
• Phoneutil.exe
• svchost.exe
• svchost.exe
• SgrmBroker.exe
• svchost.exe
• svchost.exe
• svchost.exe
• MpCmdRun.exe
• conhost.exe

Click to jump to process

Memory Usage

• task1.exe
• Phoneutil.exe
• svchost.exe
• svchost.exe
• SgrmBroker.exe
• svchost.exe
• svchost.exe
• svchost.exe
• MpCmdRun.exe
• conhost.exe

Click to jump to process

Click to jump to process

Target ID:	0
Start time:	13:38:24
Start date:	21/03/2025
Path:	C:\Users\user\Desktop\task1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\task1.exe"
Imagebase:	0x400000
File size:	192'512 bytes
MD5 hash:	2BA73D2D47CF2D388446B781613B7EFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000000.00000002.1169317226.0000000002291000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.1169283675.0000000002274000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000000.00000002.1169283675.0000000002274000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.1169237913.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000000.00000002.1169237913.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:38:25
Start date:	21/03/2025
Path:	C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\mfc110enu\Phoneutil.exe"
Imagebase:	0x400000
File size:	192'512 bytes
MD5 hash:	2BA73D2D47CF2D388446B781613B7EFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.3037538833.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000001.00000002.3037538833.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.3037797456.0000000000561000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000001.00000002.3037797456.0000000000561000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.3037700653.0000000000544000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000001.00000002.3037700653.0000000000544000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	13:38:28
Start date:	21/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6ca680000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:38:34
Start date:	21/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff6ca680000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:38:34
Start date:	21/03/2025
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff6976d0000
File size:	329'504 bytes
MD5 hash:	3BA1A18A0DC30A0545E7765CB97D8E63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	13:38:34
Start date:	21/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Imagebase:	0x7ff6ca680000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	13:38:34
Start date:	21/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Imagebase:	0x7ff6ca680000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	13:38:35
Start date:	21/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Imagebase:	0x7ff6ca680000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	13:39:35
Start date:	21/03/2025
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7d5ba0000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:39:35
Start date:	21/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report task1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Windows Analysis Report
task1.exe