Windows Analysis Report
Po#70831.exe

Overview

General Information

Sample name: Po#70831.exe
Analysis ID: 1501074
MD5: bde0b7ff5003da14df7675564d5a8f6a
SHA1: e72691a96a386c72392375969f0426361e167d3b
SHA256: af44fccdfe3d6e7f65283d47f4a121bd70000dbcf1d8d91aead1c124cd808554
Tags: exe
Infos:

Detection

Azorult
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Azorult
Yara detected Azorult Info Stealer
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Azorult AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://ln6b9.shop/LN341/index.php Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.2377127925.00000000036E0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Azorult {"C2 url": "http://ln6b9.shop/LN341/index.php"}
Multi AV Scanner detection for domain / URL
Source: http://ln6b9.shop/LN341/index.php Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for submitted file
Source: Po#70831.exe Virustotal: Detection: 33% Perma Link
Source: Po#70831.exe ReversingLabs: Detection: 71%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Po#70831.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004094C4 CryptUnprotectData,LocalFree, 2_2_004094C4
Uses 32bit PE files
Source: Po#70831.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, mozglue.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.2.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.2.dr
Source: Binary string: ucrtbase.pdb source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, ucrtbase.dll.2.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-memory-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.2.dr
Source: Binary string: wntdll.pdb source: Po#70831.exe, 00000000.00000003.2368245174.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, Po#70831.exe, 00000000.00000003.2368365177.0000000003C50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-environment-l1-1-0.dll.2.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, vcruntime140.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, mozglue.dll.2.dr
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-private-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.2.dr
Source: Binary string: msvcp140.i386.pdb source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, msvcp140.dll.2.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.2.dr
Source: Binary string: ucrtbase.pdbUGP source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, ucrtbase.dll.2.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, nssdbm3.dll.2.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.2.dr
Source: Binary string: wntdll.pdbUGP source: Po#70831.exe, 00000000.00000003.2368245174.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, Po#70831.exe, 00000000.00000003.2368365177.0000000003C50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.2.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.2.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.2.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.2.dr
Source: Binary string: vcruntime140.i386.pdb source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, vcruntime140.dll.2.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-utility-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, nssdbm3.dll.2.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-string-l1-1-0.dll.2.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, msvcp140.dll.2.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-file-l2-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.2.dr
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004FDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_004FDBBE
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004CC2A2 FindFirstFileExW, 0_2_004CC2A2
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_005068EE FindFirstFileW,FindClose, 0_2_005068EE
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_0050698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_0050698F
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004FD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_004FD076
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004FD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_004FD3A9
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_00509642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00509642
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_0050979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0050979D
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_00509B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00509B2B
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_00505C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_00505C97
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004098A0 FindFirstFileW,FindNextFileW,FindClose, 2_2_004098A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040D0A0 FindFirstFileW, 2_2_0040D0A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 2_2_00414408
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00408D44 FindFirstFileW,GetFileAttributesW,FindNextFileW, 2_2_00408D44
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00415610 FindFirstFileW,FindNextFileW,FindClose, 2_2_00415610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004087DC FreeLibrary,FindFirstFileW,DeleteFileW,FindNextFileW,SetCurrentDirectoryW,RemoveDirectoryW, 2_2_004087DC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040D06E FindFirstFileW, 2_2_0040D06E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041303C FindFirstFileW,FindNextFileW,FindClose, 2_2_0041303C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040989F FindFirstFileW,FindNextFileW,FindClose, 2_2_0040989F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004111C4 FindFirstFileW,FindNextFileW,FindClose, 2_2_004111C4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 2_2_00414408
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00415610 FindFirstFileW,FindNextFileW,FindClose, 2_2_00415610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00412D70 FindFirstFileW,FindNextFileW,FindClose, 2_2_00412D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00412D70 FindFirstFileW,FindNextFileW,FindClose, 2_2_00412D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00408D3C FindFirstFileW,GetFileAttributesW,FindNextFileW, 2_2_00408D3C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00412D70 FindFirstFileW,FindNextFileW,FindClose, 2_2_00412D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041158C FindFirstFileW,FindNextFileW,FindClose, 2_2_0041158C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00411590 FindFirstFileW,FindNextFileW,FindClose, 2_2_00411590
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00412D9C FindFirstFileW,FindNextFileW,FindClose, 2_2_00412D9C

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2029467 - Severity 1 - ET MALWARE Win32/AZORult V3.3 Client Checkin M14 : 192.168.2.6:49717 -> 172.67.128.117:80
Source: Network traffic Suricata IDS: 2810276 - Severity 1 - ETPRO MALWARE AZORult CnC Beacon M1 : 192.168.2.6:49717 -> 172.67.128.117:80
Source: Network traffic Suricata IDS: 2029136 - Severity 1 - ET MALWARE AZORult v3.3 Server Response M1 : 172.67.128.117:80 -> 192.168.2.6:49717
Source: Network traffic Suricata IDS: 2029467 - Severity 1 - ET MALWARE Win32/AZORult V3.3 Client Checkin M14 : 192.168.2.6:49718 -> 172.67.128.117:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 172.67.128.117 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://ln6b9.shop/LN341/index.php
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /LN341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: ln6b9.shopContent-Length: 109Cache-Control: no-cacheData Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 ef 26 66 99 26 66 9a 26 66 9f 26 66 9e 26 66 99 26 66 97 26 67 ea 46 13 8b 30 67 ed 45 17 8b 30 60 8b 30 66 8b 31 11 ef 26 66 96 42 70 9d 35 70 9d 3a 70 9d 32 70 9d 34 70 9d 3b Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410b&f&f&f&f&f&f&gF0gE0`0f1&fBp5p:p2p4p;
Source: global traffic HTTP traffic detected: POST /LN341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: ln6b9.shopContent-Length: 33917Cache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_0050CE44 InternetReadFile,SetEvent,GetLastError,SetEvent, 0_2_0050CE44
Source: global traffic DNS traffic detected: DNS query: ln6b9.shop
Source: unknown HTTP traffic detected: POST /LN341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: ln6b9.shopContent-Length: 109Cache-Control: no-cacheData Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 ef 26 66 99 26 66 9a 26 66 9f 26 66 9e 26 66 99 26 66 97 26 67 ea 46 13 8b 30 67 ed 45 17 8b 30 60 8b 30 66 8b 31 11 ef 26 66 96 42 70 9d 35 70 9d 3a 70 9d 32 70 9d 34 70 9d 3b Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410b&f&f&f&f&f&f&gF0gE0`0f1&fBp5p:p2p4p;
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr, nssdbm3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr, nssdbm3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr, nssdbm3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr, nssdbm3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr, nssdbm3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr, nssdbm3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr, nssdbm3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Po#70831.exe, 00000000.00000002.2377127925.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2482219448.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://ip-api.com/json
Source: svchost.exe, 00000002.00000002.2482756320.0000000003212000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ln6b9.shop/LN341/index.php
Source: svchost.exe, 00000002.00000002.2483316959.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ln6b9.shop/LN341/index.phpA
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr, nssdbm3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr, nssdbm3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr, nssdbm3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr String found in binary or memory: http://ocsp.thawte.com0
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr, nssdbm3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr, nssdbm3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr, nssdbm3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: mozglue.dll.2.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr, nssdbm3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr String found in binary or memory: http://www.mozilla.com0
Source: Po#70831.exe, 00000000.00000002.2377127925.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2482219448.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://dotbit.me/a/
Source: svchost.exe, 00000002.00000002.2483316959.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf
Source: svchost.exe, 00000002.00000002.2482756320.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2482873821.0000000003248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: svchost.exe, 00000002.00000002.2483316959.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.s
Source: svchost.exe, 00000002.00000002.2483316959.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: svchost.exe, 00000002.00000002.2482756320.0000000003212000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2z
Source: svchost.exe, 00000002.00000002.2482787252.0000000003231000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2482899863.000000000325F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2482873821.0000000003248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: svchost.exe, 00000002.00000002.2483316959.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf
Source: svchost.exe, 00000002.00000002.2482756320.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2482873821.0000000003248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr, nssdbm3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr String found in binary or memory: https://www.digicert.com/CPS0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_0050EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_0050EAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_0050ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0050ED6A
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_0050EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_0050EAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004FAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 0_2_004FAA57
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_00529576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00529576
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: Po#70831.exe PID: 6900, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.Po#70831.exe.36e0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.2.Po#70831.exe.36e0000.1.unpack, type: UNPACKEDPE Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.Po#70831.exe.36e0000.1.unpack, type: UNPACKEDPE Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Po#70831.exe.36e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.2.Po#70831.exe.36e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.Po#70831.exe.36e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Azorult Payload Author: kevoreilly
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Azorult Payload Author: kevoreilly
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.60c5e12.4.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 2.2.svchost.exe.605a6c1.5.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 2.2.svchost.exe.60386d4.6.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 00000002.00000002.2482219448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000002.00000002.2482219448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Azorult Payload Author: kevoreilly
Source: 00000002.00000002.2482219448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2377127925.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000000.00000002.2377127925.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Azorult Payload Author: kevoreilly
Source: 00000000.00000002.2377127925.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Binary is likely a compiled AutoIt script file
Source: Po#70831.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Po#70831.exe, 00000000.00000002.2371064957.0000000000552000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_8859611d-d
Source: Po#70831.exe, 00000000.00000002.2371064957.0000000000552000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_345c963e-c
Source: Po#70831.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_f81f3f0c-9
Source: Po#70831.exe String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_78b27d31-6
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Po#70831.exe
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004FD5EB: CreateFileW,DeviceIoControl,CloseHandle, 0_2_004FD5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004F1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_004F1201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004FE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_004FE8F6
Detected potential crypto function
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_0049BF40 0_2_0049BF40
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_00502046 0_2_00502046
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_00498060 0_2_00498060
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004F8298 0_2_004F8298
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004CE4FF 0_2_004CE4FF
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004C676B 0_2_004C676B
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_00524873 0_2_00524873
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_0049CAF0 0_2_0049CAF0
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004BCAA0 0_2_004BCAA0
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004ACC39 0_2_004ACC39
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004C6DD9 0_2_004C6DD9
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004AB119 0_2_004AB119
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004991C0 0_2_004991C0
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004B1394 0_2_004B1394
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004B781B 0_2_004B781B
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004A997D 0_2_004A997D
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_00497920 0_2_00497920
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004B7A4A 0_2_004B7A4A
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004B7CA7 0_2_004B7CA7
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_0051BE44 0_2_0051BE44
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004C9EEE 0_2_004C9EEE
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_036D3610 0_2_036D3610
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00403B98 appears 44 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00404E64 appears 33 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00404E3C appears 87 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 004062D8 appears 34 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 004034E4 appears 36 times
Source: C:\Users\user\Desktop\Po#70831.exe Code function: String function: 004B0A30 appears 46 times
Source: C:\Users\user\Desktop\Po#70831.exe Code function: String function: 004AF9F2 appears 40 times
Source: C:\Users\user\Desktop\Po#70831.exe Code function: String function: 00499CB3 appears 31 times
PE file does not import any functions
Source: api-ms-win-crt-multibyte-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.2.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: Po#70831.exe, 00000000.00000003.2370066895.0000000003D7D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Po#70831.exe
Source: Po#70831.exe, 00000000.00000003.2369813239.0000000003BD3000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Po#70831.exe
Uses 32bit PE files
Source: Po#70831.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 0.2.Po#70831.exe.36e0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.2.Po#70831.exe.36e0000.1.unpack, type: UNPACKEDPE Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.Po#70831.exe.36e0000.1.unpack, type: UNPACKEDPE Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Po#70831.exe.36e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.2.Po#70831.exe.36e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.Po#70831.exe.36e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.60c5e12.4.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 2.2.svchost.exe.605a6c1.5.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 2.2.svchost.exe.60386d4.6.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 00000002.00000002.2482219448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000002.00000002.2482219448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000002.00000002.2482219448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2377127925.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000000.00000002.2377127925.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000000.00000002.2377127925.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@8/53@1/1
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_005037B5 GetLastError,FormatMessageW, 0_2_005037B5
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004F10BF AdjustTokenPrivileges,CloseHandle, 0_2_004F10BF
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004F16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_004F16C3
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_005051CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_005051CD
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_0051A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_0051A67C
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_0050648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0050648E
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004942A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_004942A2
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\AFA7A44E6-9414907A-7A741079-EF2CFB53-A8A69178
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5308:120:WilError_03
Source: C:\Users\user\Desktop\Po#70831.exe File created: C:\Users\user\AppData\Local\Temp\aut2BB3.tmp Jump to behavior
Source: Po#70831.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Po#70831.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.2.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.2.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.2.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.2.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.2.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.2.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.2.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.2.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.2.dr Binary or memory string: SELECT ALL id FROM %s;
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.2.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.2.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.2.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.2.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.2.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.2.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.2.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: svchost.exe, 00000002.00000003.2434642976.000000000326F000.00000004.00000020.00020000.00000000.sdmp, 45408433256266381758956.tmp.2.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Po#70831.exe Virustotal: Detection: 33%
Source: Po#70831.exe ReversingLabs: Detection: 71%
Source: unknown Process created: C:\Users\user\Desktop\Po#70831.exe "C:\Users\user\Desktop\Po#70831.exe"
Source: C:\Users\user\Desktop\Po#70831.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Po#70831.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3
Source: C:\Users\user\Desktop\Po#70831.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Po#70831.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "svchost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3 Jump to behavior
Source: C:\Users\user\Desktop\Po#70831.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Po#70831.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Po#70831.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Po#70831.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Po#70831.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Po#70831.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Po#70831.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Po#70831.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Po#70831.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Po#70831.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Po#70831.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior
Source: Po#70831.exe Static file information: File size 1295872 > 1048576
Source: Po#70831.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Po#70831.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Po#70831.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Po#70831.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Po#70831.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Po#70831.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Po#70831.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, mozglue.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.2.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.2.dr
Source: Binary string: ucrtbase.pdb source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, ucrtbase.dll.2.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-memory-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.2.dr
Source: Binary string: wntdll.pdb source: Po#70831.exe, 00000000.00000003.2368245174.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, Po#70831.exe, 00000000.00000003.2368365177.0000000003C50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-environment-l1-1-0.dll.2.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, vcruntime140.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, mozglue.dll.2.dr
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.2.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-private-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.2.dr
Source: Binary string: msvcp140.i386.pdb source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, msvcp140.dll.2.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.2.dr
Source: Binary string: ucrtbase.pdbUGP source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, ucrtbase.dll.2.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, nssdbm3.dll.2.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.2.dr
Source: Binary string: wntdll.pdbUGP source: Po#70831.exe, 00000000.00000003.2368245174.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, Po#70831.exe, 00000000.00000003.2368365177.0000000003C50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.2.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.2.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.2.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.2.dr
Source: Binary string: vcruntime140.i386.pdb source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, vcruntime140.dll.2.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-utility-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.2.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, nssdbm3.dll.2.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-string-l1-1-0.dll.2.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: svchost.exe, 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, msvcp140.dll.2.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-file-l2-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: svchost.exe, 00000002.00000002.2483931178.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.2.dr
Source: Po#70831.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Po#70831.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Po#70831.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Po#70831.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Po#70831.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: ucrtbase.dll.2.dr Static PE information: 0x9E3394C7 [Sun Feb 8 16:22:31 2054 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_004942DE
PE file contains sections with non-standard names
Source: msvcp140.dll.2.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004B0A76 push ecx; ret 0_2_004B0A89
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040D86E push 0040D89Ch; ret 2_2_0040D894
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040D870 push 0040D89Ch; ret 2_2_0040D894
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004140C0 push 004140ECh; ret 2_2_004140E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004108C8 push 004108F4h; ret 2_2_004108EC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040B0F7 push 0040B124h; ret 2_2_0040B11C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040B0F8 push 0040B124h; ret 2_2_0040B11C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00408080 push 004080B8h; ret 2_2_004080B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00408158 push 00408196h; ret 2_2_0040818E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00408970 push 004089E4h; ret 2_2_004089DC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00408994 push 004089E4h; ret 2_2_004089DC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004089AC push 004089E4h; ret 2_2_004089DC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00415208 push 0041528Ch; ret 2_2_00415284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040CA0C push 0040CA3Ch; ret 2_2_0040CA34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040CA10 push 0040CA3Ch; ret 2_2_0040CA34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00417AEC push 00417B18h; ret 2_2_00417B10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00404BC0 push 00404C11h; ret 2_2_00404C09
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040D3C0 push 0040D3ECh; ret 2_2_0040D3E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040A3E4 push 0040A410h; ret 2_2_0040A408
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040C390 push 0040C3C0h; ret 2_2_0040C3B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040C394 push 0040C3C0h; ret 2_2_0040C3B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040A3AC push 0040A3D8h; ret 2_2_0040A3D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040DC44 push 0040DCA3h; ret 2_2_0040DC9B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040DC0C push 0040DC38h; ret 2_2_0040DC30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040B41E push 0040B44Ch; ret 2_2_0040B444
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040B420 push 0040B44Ch; ret 2_2_0040B444
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040A438 push 0040A464h; ret 2_2_0040A45C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A4F4 push 0041A51Ah; ret 2_2_0041A512
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00414C80 push 00414CACh; ret 2_2_00414CA4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409488 push 004094B8h; ret 2_2_004094B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A4AC push 0041A4E8h; ret 2_2_0041A4E0
Drops PE files
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\ucrtbase.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\vcruntime140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\nssdbm3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\softokn3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\mozglue.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\freebl3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\nss3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\msvcp140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004AF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004AF98E
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_00521C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00521C41
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00417B1A LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 2_2_00417B1A
Source: C:\Users\user\Desktop\Po#70831.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po#70831.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\Desktop\Po#70831.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Po#70831.exe API/Special instruction interceptor: Address: 36D3234
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00416B94 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,GetCurrentProcessId, 2_2_00416B94
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\nssdbm3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\freebl3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\softokn3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\nss3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B025A83F\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Po#70831.exe API coverage: 3.8 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004FDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_004FDBBE
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004CC2A2 FindFirstFileExW, 0_2_004CC2A2
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_005068EE FindFirstFileW,FindClose, 0_2_005068EE
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_0050698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_0050698F
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004FD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_004FD076
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004FD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_004FD3A9
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_00509642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00509642
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_0050979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0050979D
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_00509B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00509B2B
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_00505C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_00505C97
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004098A0 FindFirstFileW,FindNextFileW,FindClose, 2_2_004098A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040D0A0 FindFirstFileW, 2_2_0040D0A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 2_2_00414408
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00408D44 FindFirstFileW,GetFileAttributesW,FindNextFileW, 2_2_00408D44
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00415610 FindFirstFileW,FindNextFileW,FindClose, 2_2_00415610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004087DC FreeLibrary,FindFirstFileW,DeleteFileW,FindNextFileW,SetCurrentDirectoryW,RemoveDirectoryW, 2_2_004087DC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040D06E FindFirstFileW, 2_2_0040D06E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041303C FindFirstFileW,FindNextFileW,FindClose, 2_2_0041303C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040989F FindFirstFileW,FindNextFileW,FindClose, 2_2_0040989F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004111C4 FindFirstFileW,FindNextFileW,FindClose, 2_2_004111C4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 2_2_00414408
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00415610 FindFirstFileW,FindNextFileW,FindClose, 2_2_00415610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00412D70 FindFirstFileW,FindNextFileW,FindClose, 2_2_00412D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00412D70 FindFirstFileW,FindNextFileW,FindClose, 2_2_00412D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00408D3C FindFirstFileW,GetFileAttributesW,FindNextFileW, 2_2_00408D3C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00412D70 FindFirstFileW,FindNextFileW,FindClose, 2_2_00412D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041158C FindFirstFileW,FindNextFileW,FindClose, 2_2_0041158C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00411590 FindFirstFileW,FindNextFileW,FindClose, 2_2_00411590
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00412D9C FindFirstFileW,FindNextFileW,FindClose, 2_2_00412D9C
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_004942DE
Source: svchost.exe, 00000002.00000002.2482873821.0000000003248000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000002.00000002.2482756320.0000000003212000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: svchost.exe, 00000002.00000002.2482899863.000000000325F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NativeFontCtlHyper-V RAWp)
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_0050EAA2 BlockInput, 0_2_0050EAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004C2622
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00416B94 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,GetCurrentProcessId, 2_2_00416B94
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_004942DE
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004B4CE8 mov eax, dword ptr fs:[00000030h] 0_2_004B4CE8
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_036D3500 mov eax, dword ptr fs:[00000030h] 0_2_036D3500
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_036D34A0 mov eax, dword ptr fs:[00000030h] 0_2_036D34A0
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_036D1E70 mov eax, dword ptr fs:[00000030h] 0_2_036D1E70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00407A34 mov eax, dword ptr fs:[00000030h] 2_2_00407A34
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004F0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_004F0B62
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004C2622
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004B083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004B083F
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004B09D5 SetUnhandledExceptionFilter, 0_2_004B09D5
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004B0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004B0C21

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 172.67.128.117 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Po#70831.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Po#70831.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: D2A008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004F1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_004F1201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004D2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_004D2BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004FB226 SendInput,keybd_event, 0_2_004FB226
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_005122DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 0_2_005122DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Po#70831.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Po#70831.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "svchost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3 Jump to behavior
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004F0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_004F0B62
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004F1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_004F1663
Source: Po#70831.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Po#70831.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004B0698 cpuid 0_2_004B0698
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoA, 2_2_00416FB8
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoA, 2_2_00404B4C
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\SysWOW64\svchost.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_00508195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW, 0_2_00508195
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004ED27A GetUserNameW, 0_2_004ED27A
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004CB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_004CB952
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_004942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_004942DE
Source: C:\Windows\SysWOW64\svchost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Azorult
Source: Yara match File source: 0.2.Po#70831.exe.36e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Po#70831.exe.36e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2483316959.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2484833657.00000000067AC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2483360582.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2482219448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2377127925.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Po#70831.exe PID: 6900, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4396, type: MEMORYSTR
Yara detected Azorult Info Stealer
Source: Yara match File source: 0.2.Po#70831.exe.36e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Po#70831.exe.36e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2482219448.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2377127925.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Po#70831.exe PID: 6900, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4396, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: svchost.exe, 00000002.00000002.2483316959.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum\wallets\
Source: svchost.exe, 00000002.00000002.2483316959.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum\wallets\
Source: svchost.exe, 00000002.00000002.2483316959.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: svchost.exe, 00000002.00000002.2483316959.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Exodus\
Source: svchost.exe, 00000002.00000002.2483316959.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: svchost.exe, 00000002.00000002.2483316959.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: svchost.exe, 00000002.00000002.2483316959.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Exodus\
Source: svchost.exe, 00000002.00000002.2483316959.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: svchost.exe, 00000002.00000002.2483316959.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: svchost.exe, 00000002.00000002.2483316959.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum-LTC\wallets\
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\filezilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\ElectrumG\wallets\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Electrum-btcp\wallets\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Exodus Eden\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Jaxx\Local Storage\ Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: Po#70831.exe Binary or memory string: WIN_81
Source: Po#70831.exe Binary or memory string: WIN_XP
Source: Po#70831.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Po#70831.exe Binary or memory string: WIN_XPe
Source: Po#70831.exe Binary or memory string: WIN_VISTA
Source: Po#70831.exe Binary or memory string: WIN_7
Source: Po#70831.exe Binary or memory string: WIN_8
Yara detected Credential Stealer
Source: Yara match File source: 2.2.svchost.exe.60c5e12.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.605a6c1.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.60386d4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2484249625.0000000006010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4396, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_00511204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 0_2_00511204
Source: C:\Users\user\Desktop\Po#70831.exe Code function: 0_2_00511806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00511806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501074 Sample: Po#70831.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 31 ln6b9.shop 2->31 35 Multi AV Scanner detection for domain / URL 2->35 37 Suricata IDS alerts for network traffic 2->37 39 Found malware configuration 2->39 41 10 other signatures 2->41 9 Po#70831.exe 4 2->9         started        signatures3 process4 signatures5 43 Binary is likely a compiled AutoIt script file 9->43 45 Found API chain indicative of sandbox detection 9->45 47 Writes to foreign memory regions 9->47 49 2 other signatures 9->49 12 svchost.exe 69 9->12         started        process6 dnsIp7 33 ln6b9.shop 172.67.128.117, 49717, 49718, 80 CLOUDFLARENETUS United States 12->33 23 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->23 dropped 25 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 12->25 dropped 27 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 12->27 dropped 29 45 other files (none is malicious) 12->29 dropped 51 System process connects to network (likely due to code injection or exploit) 12->51 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->53 55 Tries to steal Instant Messenger accounts or passwords 12->55 57 6 other signatures 12->57 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 conhost.exe 17->19         started        21 timeout.exe 1 17->21         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.128.117
 ln6b9.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
ln6b9.shop 172.67.128.117 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ln6b9.shop/LN341/index.php true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown