Loading ...

Play interactive tourEdit tour

Analysis Report AXZFXiJCj3

Overview

General Information

Sample Name:AXZFXiJCj3 (renamed file extension from none to exe)
Analysis ID:317581
MD5:cb6a701436f1498897a3ee49564bcd8c
SHA1:f4097f6879b2d5ebf1590f83350b009828bd2aaa
SHA256:292b5987d57317d8d4047a8b4dbae1fd2cbebf0fa3c89b7dcfa96b93c40e36b1

Most interesting Screenshot:

Detection

Emotet
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • AXZFXiJCj3.exe (PID: 4508 cmdline: 'C:\Users\user\Desktop\AXZFXiJCj3.exe' MD5: CB6A701436F1498897A3EE49564BCD8C)
    • hlink.exe (PID: 5036 cmdline: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe MD5: CB6A701436F1498897A3EE49564BCD8C)
  • svchost.exe (PID: 6052 cmdline: c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4596 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5960 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5584 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3132 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4616 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3604 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 372 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5752 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 4648 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 4956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 3152 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.501702388.0000000000E10000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000003.00000002.502007177.0000000000FD1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.236042991.0000000003004000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000000.00000002.236006103.0000000002FC0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000000.00000002.236081390.0000000003041000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.hlink.exe.fd0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              0.2.AXZFXiJCj3.exe.3040000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for submitted fileShow sources
                Source: AXZFXiJCj3.exeMetadefender: Detection: 45%Perma Link
                Source: AXZFXiJCj3.exeReversingLabs: Detection: 70%
                Source: AXZFXiJCj3.exeMetadefender: Detection: 45%Perma Link
                Source: AXZFXiJCj3.exeReversingLabs: Detection: 70%
                Machine Learning detection for sampleShow sources
                Source: AXZFXiJCj3.exeJoe Sandbox ML: detected
                Source: AXZFXiJCj3.exeJoe Sandbox ML: detected
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD22C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam,3_2_00FD22C0
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,3_2_00FD2680
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD1FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap,3_2_00FD1FF0
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD22C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam,3_2_00FD22C0
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,3_2_00FD2680
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD1FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap,3_2_00FD1FF0
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03043A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,0_2_03043A20
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03043A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,0_2_03043A20
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,3_2_00FD3A20

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.5:49719 -> 190.202.229.74:80
                Source: TrafficSnort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.5:49723 -> 118.69.11.81:7080
                Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49728 -> 70.39.251.94:8080
                Source: TrafficSnort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.5:49734 -> 87.230.25.43:8080
                Source: TrafficSnort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.5:49737 -> 94.23.62.116:8080
                Source: TrafficSnort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.5:49719 -> 190.202.229.74:80
                Source: TrafficSnort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.5:49723 -> 118.69.11.81:7080
                Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49728 -> 70.39.251.94:8080
                Source: TrafficSnort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.5:49734 -> 87.230.25.43:8080
                Source: TrafficSnort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.5:49737 -> 94.23.62.116:8080
                Source: global trafficTCP traffic: 192.168.2.5:49723 -> 118.69.11.81:7080
                Source: global trafficTCP traffic: 192.168.2.5:49728 -> 70.39.251.94:8080
                Source: global trafficTCP traffic: 192.168.2.5:49734 -> 87.230.25.43:8080
                Source: global trafficTCP traffic: 192.168.2.5:49737 -> 94.23.62.116:8080
                Source: global trafficTCP traffic: 192.168.2.5:49723 -> 118.69.11.81:7080
                Source: global trafficTCP traffic: 192.168.2.5:49728 -> 70.39.251.94:8080
                Source: global trafficTCP traffic: 192.168.2.5:49734 -> 87.230.25.43:8080
                Source: global trafficTCP traffic: 192.168.2.5:49737 -> 94.23.62.116:8080
                Source: Joe Sandbox ViewIP Address: 87.230.25.43 87.230.25.43
                Source: Joe Sandbox ViewIP Address: 87.230.25.43 87.230.25.43
                Source: Joe Sandbox ViewIP Address: 94.23.62.116 94.23.62.116
                Source: Joe Sandbox ViewASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
                Source: Joe Sandbox ViewASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
                Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                Source: Joe Sandbox ViewASN Name: CANTVServiciosVenezuelaVE CANTVServiciosVenezuelaVE
                Source: global trafficTCP traffic: 192.168.2.5:49719 -> 190.202.229.74:80
                Source: global trafficTCP traffic: 192.168.2.5:49719 -> 190.202.229.74:80
                Source: global trafficHTTP traffic detected: POST /wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------f0w0JM1b6rSEaEm2User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4596Cache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------f0w0JM1b6rSEaEm2User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4596Cache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 190.202.229.74
                Source: unknownTCP traffic detected without corresponding DNS query: 190.202.229.74
                Source: unknownTCP traffic detected without corresponding DNS query: 190.202.229.74
                Source: unknownTCP traffic detected without corresponding DNS query: 118.69.11.81
                Source: unknownTCP traffic detected without corresponding DNS query: 118.69.11.81
                Source: unknownTCP traffic detected without corresponding DNS query: 118.69.11.81
                Source: unknownTCP traffic detected without corresponding DNS query: 70.39.251.94
                Source: unknownTCP traffic detected without corresponding DNS query: 70.39.251.94
                Source: unknownTCP traffic detected without corresponding DNS query: 70.39.251.94
                Source: unknownTCP traffic detected without corresponding DNS query: 87.230.25.43
                Source: unknownTCP traffic detected without corresponding DNS query: 87.230.25.43
                Source: unknownTCP traffic detected without corresponding DNS query: 87.230.25.43
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 190.202.229.74
                Source: unknownTCP traffic detected without corresponding DNS query: 190.202.229.74
                Source: unknownTCP traffic detected without corresponding DNS query: 190.202.229.74
                Source: unknownTCP traffic detected without corresponding DNS query: 118.69.11.81
                Source: unknownTCP traffic detected without corresponding DNS query: 118.69.11.81
                Source: unknownTCP traffic detected without corresponding DNS query: 118.69.11.81
                Source: unknownTCP traffic detected without corresponding DNS query: 70.39.251.94
                Source: unknownTCP traffic detected without corresponding DNS query: 70.39.251.94
                Source: unknownTCP traffic detected without corresponding DNS query: 70.39.251.94
                Source: unknownTCP traffic detected without corresponding DNS query: 87.230.25.43
                Source: unknownTCP traffic detected without corresponding DNS query: 87.230.25.43
                Source: unknownTCP traffic detected without corresponding DNS query: 87.230.25.43
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownHTTP traffic detected: POST /wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------f0w0JM1b6rSEaEm2User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4596Cache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------f0w0JM1b6rSEaEm2User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4596Cache-Control: no-cache
                Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: http://118.69.11.81:7080/0jC3/
                Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: http://118.69.11.81:7080/0jC3/shqos.dll.mui
                Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmpString found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/
                Source: hlink.exe, 00000003.00000003.324564616.0000000001155000.00000004.00000001.sdmpString found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/&
                Source: hlink.exe, 00000003.00000003.324564616.0000000001155000.00000004.00000001.sdmpString found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/S
                Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmpString found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/
                Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/(
                Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmpString found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/K
                Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmpString found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/S
                Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/
                Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/l
                Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ll
                Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000004.00000002.503500592.000002DB0C580000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: svchost.exe, 00000009.00000002.306829909.00000275A3E13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 00000009.00000003.306404047.00000275A3E4B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 00000009.00000002.306856777.00000275A3E42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 00000009.00000002.306856777.00000275A3E42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000009.00000003.306432354.00000275A3E63000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000009.00000003.284520109.00000275A3E31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.306829909.00000275A3E13000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000009.00000003.306518386.00000275A3E45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000009.00000003.306518386.00000275A3E45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000009.00000003.284520109.00000275A3E31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 00000009.00000003.306542156.00000275A3E3A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 00000009.00000003.306404047.00000275A3E4B000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: http://118.69.11.81:7080/0jC3/
                Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: http://118.69.11.81:7080/0jC3/shqos.dll.mui
                Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmpString found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/
                Source: hlink.exe, 00000003.00000003.324564616.0000000001155000.00000004.00000001.sdmpString found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/&
                Source: hlink.exe, 00000003.00000003.324564616.0000000001155000.00000004.00000001.sdmpString found in binary or memory: http://190.202.229.74/5Uu8vkcV8mWoFDLq/S
                Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmpString found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/
                Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/(
                Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmpString found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/K
                Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmpString found in binary or memory: http://87.230.25.43:8080/Xw4Uto40i4G/H7gZE1odrrHvZ/5xEzKI/iLSKW7PXZiCOYRz82y7/S
                Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/
                Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/l
                Source: hlink.exe, 00000003.00000002.502530179.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: http://94.23.62.116:8080/wsRlzWQi4Bsh/odvA27zIKHS/khEmUw1XSRFsM2/ll
                Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000004.00000002.503812585.000002DB0C610000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000004.00000002.503500592.000002DB0C580000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: svchost.exe, 00000009.00000002.306829909.00000275A3E13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000007.00000002.501211639.000002705DC3E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 00000009.00000003.306404047.00000275A3E4B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 00000009.00000002.306856777.00000275A3E42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 00000009.00000002.306856777.00000275A3E42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000009.00000002.306869256.00000275A3E5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000009.00000003.306432354.00000275A3E63000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.306470665.00000275A3E5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 00000009.00000003.306454302.00000275A3E60000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000009.00000003.284520109.00000275A3E31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 00000009.00000002.306852711.00000275A3E3D000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.306829909.00000275A3E13000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000009.00000003.306518386.00000275A3E45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000009.00000003.306518386.00000275A3E45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000009.00000003.284520109.00000275A3E31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 00000009.00000003.306542156.00000275A3E3A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 00000009.00000003.306404047.00000275A3E4B000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: hlink.exe, 00000003.00000002.502111167.000000000106A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                E-Banking Fraud:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000003.00000002.501702388.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.502007177.0000000000FD1000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.236042991.0000000003004000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.236006103.0000000002FC0000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.236081390.0000000003041000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.501876677.0000000000F74000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 3.2.hlink.exe.fd0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.AXZFXiJCj3.exe.3040000.1.unpack, type: UNPACKEDPE
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,3_2_00FD2680
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,3_2_00FD2680
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeFile created: C:\Windows\SysWOW64\InputInjectionBroker\Jump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeFile created: C:\Windows\SysWOW64\InputInjectionBroker\Jump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeFile deleted: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeFile deleted: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030483300_2_03048330
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030486F00_2_030486F0
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03047B300_2_03047B30
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030468600_2_03046860
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030441900_2_03044190
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030441B70_2_030441B7
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030442C90_2_030442C9
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03043CE00_2_03043CE0
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03043EE00_2_03043EE0
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC96CE0_2_02FC96CE
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC9ECE0_2_02FC9ECE
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FCA28E0_2_02FCA28E
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC5A7E0_2_02FC5A7E
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FD76690_2_02FD7669
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC5E670_2_02FC5E67
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC83FE0_2_02FC83FE
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC587E0_2_02FC587E
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC5D550_2_02FC5D55
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC5D2E0_2_02FC5D2E
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030483300_2_03048330
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030486F00_2_030486F0
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03047B300_2_03047B30
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030468600_2_03046860
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030441900_2_03044190
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030441B70_2_030441B7
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030442C90_2_030442C9
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03043CE00_2_03043CE0
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03043EE00_2_03043EE0
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC96CE0_2_02FC96CE
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC9ECE0_2_02FC9ECE
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FCA28E0_2_02FCA28E
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC5A7E0_2_02FC5A7E
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FD76690_2_02FD7669
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC5E670_2_02FC5E67
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC83FE0_2_02FC83FE
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC587E0_2_02FC587E
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC5D550_2_02FC5D55
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC5D2E0_2_02FC5D2E
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD86F03_2_00FD86F0
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD3CE03_2_00FD3CE0
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD3EE03_2_00FD3EE0
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD42C93_2_00FD42C9
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD41B73_2_00FD41B7
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD41903_2_00FD4190
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD68603_2_00FD6860
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD83303_2_00FD8330
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD7B303_2_00FD7B30
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00E1587E3_2_00E1587E
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00E15D553_2_00E15D55
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00E15D2E3_2_00E15D2E
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00E196CE3_2_00E196CE
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00E19ECE3_2_00E19ECE
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00E1A28E3_2_00E1A28E
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00E15E673_2_00E15E67
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00E276693_2_00E27669
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00E15A7E3_2_00E15A7E
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00E183FE3_2_00E183FE
                Source: AXZFXiJCj3.exe, 00000000.00000002.236269154.0000000003260000.00000002.00000001.sdmpBinary or memory string: originalfilename vs AXZFXiJCj3.exe
                Source: AXZFXiJCj3.exe, 00000000.00000002.236269154.0000000003260000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs AXZFXiJCj3.exe
                Source: AXZFXiJCj3.exe, 00000000.00000002.236230649.0000000003200000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs AXZFXiJCj3.exe
                Source: AXZFXiJCj3.exe, 00000000.00000002.236269154.0000000003260000.00000002.00000001.sdmpBinary or memory string: originalfilename vs AXZFXiJCj3.exe
                Source: AXZFXiJCj3.exe, 00000000.00000002.236269154.0000000003260000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs AXZFXiJCj3.exe
                Source: AXZFXiJCj3.exe, 00000000.00000002.236230649.0000000003200000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs AXZFXiJCj3.exe
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                Source: classification engineClassification label: mal80.troj.evad.winEXE@16/5@0/6
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle,0_2_03048CA0
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle,0_2_03048CA0
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD4FD0 Process32NextW,Process32FirstW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,FindCloseChangeNotification,3_2_00FD4FD0
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD4FD0 Process32NextW,Process32FirstW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,FindCloseChangeNotification,3_2_00FD4FD0
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03045390 ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,0_2_03045390
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03045390 ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,0_2_03045390
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4956:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4956:120:WilError_01
                Source: AXZFXiJCj3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: AXZFXiJCj3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: AXZFXiJCj3.exeMetadefender: Detection: 45%
                Source: AXZFXiJCj3.exeReversingLabs: Detection: 70%
                Source: AXZFXiJCj3.exeMetadefender: Detection: 45%
                Source: AXZFXiJCj3.exeReversingLabs: Detection: 70%
                Source: unknownProcess created: C:\Users\user\Desktop\AXZFXiJCj3.exe 'C:\Users\user\Desktop\AXZFXiJCj3.exe'
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
                Source: unknownProcess created: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeProcess created: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\AXZFXiJCj3.exe 'C:\Users\user\Desktop\AXZFXiJCj3.exe'
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
                Source: unknownProcess created: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeProcess created: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03001030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,0_2_03001030
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03001030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,0_2_03001030
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03046320 push ecx; mov dword ptr [esp], 00009128h0_2_03046321
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03046220 push ecx; mov dword ptr [esp], 00004B50h0_2_03046221
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03046240 push ecx; mov dword ptr [esp], 00008F23h0_2_03046241
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03046140 push ecx; mov dword ptr [esp], 00004AF2h0_2_03046141
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03046180 push ecx; mov dword ptr [esp], 0000D106h0_2_03046181
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03046090 push ecx; mov dword ptr [esp], 0000BAD9h0_2_03046091
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030462A0 push ecx; mov dword ptr [esp], 0000BFAAh0_2_030462A1
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030461B0 push ecx; mov dword ptr [esp], 000003A6h0_2_030461B1
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030462D0 push ecx; mov dword ptr [esp], 00001969h0_2_030462D1
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030461D0 push ecx; mov dword ptr [esp], 00004B56h0_2_030461D1
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030460F0 push ecx; mov dword ptr [esp], 0000A172h0_2_030460F1
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7EBE push ecx; mov dword ptr [esp], 00009128h0_2_02FC7EBF
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7E6E push ecx; mov dword ptr [esp], 00001969h0_2_02FC7E6F
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7E3E push ecx; mov dword ptr [esp], 0000BFAAh0_2_02FC7E3F
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FE3FD9 push ss; iretd 0_2_02FE3FDE
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FD8B8F push edi; iretd 0_2_02FD8BA1
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7CDE push ecx; mov dword ptr [esp], 00004AF2h0_2_02FC7CDF
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FE449C push ebx; iretd 0_2_02FE44AF
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FE449C push FFFFFF95h; iretd 0_2_02FE44F1
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7C8E push ecx; mov dword ptr [esp], 0000A172h0_2_02FC7C8F
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7C2E push ecx; mov dword ptr [esp], 0000BAD9h0_2_02FC7C2F
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7DDE push ecx; mov dword ptr [esp], 00008F23h0_2_02FC7DDF
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7DBE push ecx; mov dword ptr [esp], 00004B50h0_2_02FC7DBF
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7D6E push ecx; mov dword ptr [esp], 00004B56h0_2_02FC7D6F
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7D4E push ecx; mov dword ptr [esp], 000003A6h0_2_02FC7D4F
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7D1E push ecx; mov dword ptr [esp], 0000D106h0_2_02FC7D1F
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03046320 push ecx; mov dword ptr [esp], 00009128h0_2_03046321
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03046220 push ecx; mov dword ptr [esp], 00004B50h0_2_03046221
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03046240 push ecx; mov dword ptr [esp], 00008F23h0_2_03046241
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03046140 push ecx; mov dword ptr [esp], 00004AF2h0_2_03046141
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03046180 push ecx; mov dword ptr [esp], 0000D106h0_2_03046181
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03046090 push ecx; mov dword ptr [esp], 0000BAD9h0_2_03046091
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030462A0 push ecx; mov dword ptr [esp], 0000BFAAh0_2_030462A1
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030461B0 push ecx; mov dword ptr [esp], 000003A6h0_2_030461B1
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030462D0 push ecx; mov dword ptr [esp], 00001969h0_2_030462D1
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030461D0 push ecx; mov dword ptr [esp], 00004B56h0_2_030461D1
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_030460F0 push ecx; mov dword ptr [esp], 0000A172h0_2_030460F1
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7EBE push ecx; mov dword ptr [esp], 00009128h0_2_02FC7EBF
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7E6E push ecx; mov dword ptr [esp], 00001969h0_2_02FC7E6F
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7E3E push ecx; mov dword ptr [esp], 0000BFAAh0_2_02FC7E3F
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FE3FD9 push ss; iretd 0_2_02FE3FDE
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FD8B8F push edi; iretd 0_2_02FD8BA1
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7CDE push ecx; mov dword ptr [esp], 00004AF2h0_2_02FC7CDF
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FE449C push ebx; iretd 0_2_02FE44AF
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FE449C push FFFFFF95h; iretd 0_2_02FE44F1
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7C8E push ecx; mov dword ptr [esp], 0000A172h0_2_02FC7C8F
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7C2E push ecx; mov dword ptr [esp], 0000BAD9h0_2_02FC7C2F
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7DDE push ecx; mov dword ptr [esp], 00008F23h0_2_02FC7DDF
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7DBE push ecx; mov dword ptr [esp], 00004B50h0_2_02FC7DBF
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7D6E push ecx; mov dword ptr [esp], 00004B56h0_2_02FC7D6F
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7D4E push ecx; mov dword ptr [esp], 000003A6h0_2_02FC7D4F
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_02FC7D1E push ecx; mov dword ptr [esp], 0000D106h0_2_02FC7D1F
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD60F0 push ecx; mov dword ptr [esp], 0000A172h3_2_00FD60F1
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD62D0 push ecx; mov dword ptr [esp], 00001969h3_2_00FD62D1
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD61D0 push ecx; mov dword ptr [esp], 00004B56h3_2_00FD61D1
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD61B0 push ecx; mov dword ptr [esp], 000003A6h3_2_00FD61B1
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD62A0 push ecx; mov dword ptr [esp], 0000BFAAh3_2_00FD62A1

                Persistence and Installation Behavior:

                barindex
                Drops executables to the windows directory (C:\Windows) and starts themShow sources
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeExecutable created and started: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeJump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeExecutable created and started: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeJump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exePE file moved: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeJump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exePE file moved: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeFile opened: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeFile opened: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,0_2_03045390
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,0_2_03045390
                Source: C:\Windows\System32\svchost.exe TID: 6060Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 6060Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03043A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,0_2_03043A20
                Source: C:\Users\user\Desktop\AXZFXiJCj3.exeCode function: 0_2_03043A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,0_2_03043A20
                Source: C:\Windows\SysWOW64\InputInjectionBroker\hlink.exeCode function: 3_2_00FD3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,3_2_00FD3A20
                Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: svchost.exe, 00000004.00000002.504082116.000002DB0C660000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                Source: svchost.exe, 00000001.00000002.491247141.000002652D602000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                Source: hlink.exe, 00000003.00000003.324534644.0000000002BB7000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.503963627.000002DB0C64B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: svchost.exe, 00000006.00000002.292246563.0000019630140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.502619598.000002705E790000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.311498734.0000020BEA140000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: svchost.exe, 00000004.00000002.501259513.000002DB06E29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@Af
                Source: svchost.exe, 00000007.00000002.501267426.000002705DC68000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.501064177.0000020DC6A29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: svchost