Loading ...

Play interactive tourEdit tour

Analysis Report 5e8fYZ8TM6

Overview

General Information

Sample Name:5e8fYZ8TM6 (renamed file extension from none to exe)
Analysis ID:317608
MD5:e312419a2323bc0885320ffba12c61fb
SHA1:e41575401eb8f67515cd02f892b8a3718f50319d
SHA256:4eea447c84313427eef7bad0462274e923632504daafc313f1528b7f46c5852d

Most interesting Screenshot:

Detection

Emotet
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 5e8fYZ8TM6.exe (PID: 6036 cmdline: 'C:\Users\user\Desktop\5e8fYZ8TM6.exe' MD5: E312419A2323BC0885320FFBA12C61FB)
    • splwow64.exe (PID: 5904 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)
  • svchost.exe (PID: 204 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1528 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5256 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2308 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5652 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1528 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5900 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5396 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6184 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6216 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5488 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.484136450.0000000002AF1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000002.00000003.253560512.0000000000549000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000002.00000002.481950489.0000000000531000.00000004.00000020.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000000.00000002.235061134.00000000022A1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000000.00000002.235927547.00000000033E0000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.5e8fYZ8TM6.exe.22a0000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              2.2.SystemPropertiesDataExecutionPrevention.exe.2af0000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for submitted fileShow sources
                Source: 5e8fYZ8TM6.exeMetadefender: Detection: 54%Perma Link
                Source: 5e8fYZ8TM6.exeReversingLabs: Detection: 66%
                Source: 5e8fYZ8TM6.exeMetadefender: Detection: 54%Perma Link
                Source: 5e8fYZ8TM6.exeReversingLabs: Detection: 66%
                Machine Learning detection for sampleShow sources
                Source: 5e8fYZ8TM6.exeJoe Sandbox ML: detected
                Source: 5e8fYZ8TM6.exeJoe Sandbox ML: detected
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF2290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,2_2_02AF2290
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,2_2_02AF2650
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF1FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash,2_2_02AF1FB0
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF2290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,2_2_02AF2290
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,2_2_02AF2650
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF1FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash,2_2_02AF1FB0
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,0_2_022A38F0
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,0_2_022A38F0
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,2_2_02AF38F0

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.3:49727 -> 88.153.35.32:80
                Source: TrafficSnort IDS: 2404300 ET CNC Feodo Tracker Reported CnC Server TCP group 1 192.168.2.3:49733 -> 107.170.146.252:8080
                Source: TrafficSnort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.3:49739 -> 173.212.214.235:7080
                Source: TrafficSnort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.3:49727 -> 88.153.35.32:80
                Source: TrafficSnort IDS: 2404300 ET CNC Feodo Tracker Reported CnC Server TCP group 1 192.168.2.3:49733 -> 107.170.146.252:8080
                Source: TrafficSnort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.3:49739 -> 173.212.214.235:7080
                Source: global trafficTCP traffic: 192.168.2.3:49733 -> 107.170.146.252:8080
                Source: global trafficTCP traffic: 192.168.2.3:49739 -> 173.212.214.235:7080
                Source: global trafficTCP traffic: 192.168.2.3:49740 -> 167.114.153.111:8080
                Source: global trafficTCP traffic: 192.168.2.3:49733 -> 107.170.146.252:8080
                Source: global trafficTCP traffic: 192.168.2.3:49739 -> 173.212.214.235:7080
                Source: global trafficTCP traffic: 192.168.2.3:49740 -> 167.114.153.111:8080
                Source: Joe Sandbox ViewIP Address: 107.170.146.252 107.170.146.252
                Source: Joe Sandbox ViewIP Address: 107.170.146.252 107.170.146.252
                Source: Joe Sandbox ViewIP Address: 107.170.146.252 107.170.146.252
                Source: Joe Sandbox ViewIP Address: 107.170.146.252 107.170.146.252
                Source: Joe Sandbox ViewIP Address: 167.114.153.111 167.114.153.111
                Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                Source: Joe Sandbox ViewASN Name: LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding
                Source: global trafficTCP traffic: 192.168.2.3:49727 -> 88.153.35.32:80
                Source: global trafficTCP traffic: 192.168.2.3:49727 -> 88.153.35.32:80
                Source: global trafficHTTP traffic detected: POST /Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 167.114.153.111/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------59GcGOAAM0KMMN79WmTgUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.114.153.111:8080Content-Length: 4612Cache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 167.114.153.111/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------59GcGOAAM0KMMN79WmTgUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.114.153.111:8080Content-Length: 4612Cache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 88.153.35.32
                Source: unknownTCP traffic detected without corresponding DNS query: 88.153.35.32
                Source: unknownTCP traffic detected without corresponding DNS query: 88.153.35.32
                Source: unknownTCP traffic detected without corresponding DNS query: 107.170.146.252
                Source: unknownTCP traffic detected without corresponding DNS query: 107.170.146.252
                Source: unknownTCP traffic detected without corresponding DNS query: 107.170.146.252
                Source: unknownTCP traffic detected without corresponding DNS query: 173.212.214.235
                Source: unknownTCP traffic detected without corresponding DNS query: 173.212.214.235
                Source: unknownTCP traffic detected without corresponding DNS query: 173.212.214.235
                Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                Source: unknownTCP traffic detected without corresponding DNS query: 88.153.35.32
                Source: unknownTCP traffic detected without corresponding DNS query: 88.153.35.32
                Source: unknownTCP traffic detected without corresponding DNS query: 88.153.35.32
                Source: unknownTCP traffic detected without corresponding DNS query: 107.170.146.252
                Source: unknownTCP traffic detected without corresponding DNS query: 107.170.146.252
                Source: unknownTCP traffic detected without corresponding DNS query: 107.170.146.252
                Source: unknownTCP traffic detected without corresponding DNS query: 173.212.214.235
                Source: unknownTCP traffic detected without corresponding DNS query: 173.212.214.235
                Source: unknownTCP traffic detected without corresponding DNS query: 173.212.214.235
                Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF29B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,2_2_02AF29B0
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF29B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,2_2_02AF29B0
                Source: unknownHTTP traffic detected: POST /Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 167.114.153.111/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------59GcGOAAM0KMMN79WmTgUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.114.153.111:8080Content-Length: 4612Cache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 167.114.153.111/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------59GcGOAAM0KMMN79WmTgUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.114.153.111:8080Content-Length: 4612Cache-Control: no-cache
                Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.485148988.0000000003450000.00000004.00000001.sdmpString found in binary or memory: http://107.170.146.252:8080/FzxV1tcYAXWJ/49nleX/mnwI0BZz7GFzEpyb4FJ/
                Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486301037.0000000003626000.00000004.00000001.sdmpString found in binary or memory: http://167.114.153.111:8080/Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/
                Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486301037.0000000003626000.00000004.00000001.sdmpString found in binary or memory: http://167.114.153.111:8080/Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/7
                Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmpString found in binary or memory: http://88.153.35.32/C2AWX/0IcMqQll94L/
                Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmpString found in binary or memory: http://88.153.35.32/C2AWX/0IcMqQll94L/7
                Source: svchost.exe, 00000003.00000002.484487790.0000028B6F612000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: svchost.exe, 00000003.00000002.484487790.0000028B6F612000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000003.00000002.484568656.0000028B6F63D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000B.00000002.312388605.0000015EE0C4E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 0000000B.00000003.312073422.0000015EE0C41000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 0000000B.00000003.312073422.0000015EE0C41000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000B.00000002.312405048.0000015EE0C64000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000B.00000003.290284677.0000015EE0C31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmpString found in binary or memory: https://fs.microsoft.c
                Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.290284677.0000015EE0C31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 0000000B.00000002.312366257.0000015EE0C3A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.485148988.0000000003450000.00000004.00000001.sdmpString found in binary or memory: http://107.170.146.252:8080/FzxV1tcYAXWJ/49nleX/mnwI0BZz7GFzEpyb4FJ/
                Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486301037.0000000003626000.00000004.00000001.sdmpString found in binary or memory: http://167.114.153.111:8080/Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/
                Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486301037.0000000003626000.00000004.00000001.sdmpString found in binary or memory: http://167.114.153.111:8080/Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/7
                Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmpString found in binary or memory: http://88.153.35.32/C2AWX/0IcMqQll94L/
                Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmpString found in binary or memory: http://88.153.35.32/C2AWX/0IcMqQll94L/7
                Source: svchost.exe, 00000003.00000002.484487790.0000028B6F612000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: svchost.exe, 00000003.00000002.484487790.0000028B6F612000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000003.00000002.484568656.0000028B6F63D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000B.00000002.312388605.0000015EE0C4E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 0000000B.00000003.312073422.0000015EE0C41000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 0000000B.00000003.312073422.0000015EE0C41000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000B.00000002.312405048.0000015EE0C64000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000B.00000003.290284677.0000015EE0C31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmpString found in binary or memory: https://fs.microsoft.c
                Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.290284677.0000015EE0C31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 0000000B.00000002.312366257.0000015EE0C3A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

                E-Banking Fraud:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000002.00000002.484136450.0000000002AF1000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.253560512.0000000000549000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.481950489.0000000000531000.00000004.00000020.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.235061134.00000000022A1000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.235927547.00000000033E0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0.2.5e8fYZ8TM6.exe.22a0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.SystemPropertiesDataExecutionPrevention.exe.2af0000.2.unpack, type: UNPACKEDPE
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,2_2_02AF2650
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,2_2_02AF2650
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022901F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,0_2_022901F0
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022901F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,0_2_022901F0
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AE01F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,2_2_02AE01F0
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeFile created: C:\Windows\SysWOW64\unenrollhook\Jump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeFile created: C:\Windows\SysWOW64\unenrollhook\Jump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeFile deleted: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeFile deleted: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_00451D800_2_00451D80
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A82400_2_022A8240
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A3F200_2_022A3F20
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A77400_2_022A7740
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A3BA00_2_022A3BA0
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A1C700_2_022A1C70
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A65300_2_022A6530
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A3D100_2_022A3D10
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_00451D800_2_00451D80
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A82400_2_022A8240
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A3F200_2_022A3F20
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A77400_2_022A7740
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A3BA00_2_022A3BA0
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A1C700_2_022A1C70
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A65300_2_022A6530
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A3D100_2_022A3D10
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF82402_2_02AF8240
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF3BA02_2_02AF3BA0
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF3F202_2_02AF3F20
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF65302_2_02AF6530
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF3D102_2_02AF3D10
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF1C702_2_02AF1C70
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF77402_2_02AF7740
                Source: 5e8fYZ8TM6.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 5e8fYZ8TM6.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 5e8fYZ8TM6.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 5e8fYZ8TM6.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 5e8fYZ8TM6.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 5e8fYZ8TM6.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 5e8fYZ8TM6.exe, 00000000.00000002.236353987.0000000003880000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 5e8fYZ8TM6.exe
                Source: 5e8fYZ8TM6.exe, 00000000.00000002.234305664.0000000000470000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSEKPaint2.exe vs 5e8fYZ8TM6.exe
                Source: 5e8fYZ8TM6.exe, 00000000.00000002.236532586.0000000003980000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 5e8fYZ8TM6.exe
                Source: 5e8fYZ8TM6.exe, 00000000.00000002.236532586.0000000003980000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 5e8fYZ8TM6.exe
                Source: 5e8fYZ8TM6.exe, 00000000.00000002.234876439.0000000002110000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 5e8fYZ8TM6.exe
                Source: 5e8fYZ8TM6.exeBinary or memory string: OriginalFilenameSEKPaint2.exe vs 5e8fYZ8TM6.exe
                Source: 5e8fYZ8TM6.exe, 00000000.00000002.236353987.0000000003880000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 5e8fYZ8TM6.exe
                Source: 5e8fYZ8TM6.exe, 00000000.00000002.234305664.0000000000470000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSEKPaint2.exe vs 5e8fYZ8TM6.exe
                Source: 5e8fYZ8TM6.exe, 00000000.00000002.236532586.0000000003980000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 5e8fYZ8TM6.exe
                Source: 5e8fYZ8TM6.exe, 00000000.00000002.236532586.0000000003980000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 5e8fYZ8TM6.exe
                Source: 5e8fYZ8TM6.exe, 00000000.00000002.234876439.0000000002110000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 5e8fYZ8TM6.exe
                Source: 5e8fYZ8TM6.exeBinary or memory string: OriginalFilenameSEKPaint2.exe vs 5e8fYZ8TM6.exe
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                Source: 5e8fYZ8TM6.exeBinary or memory string: F*\AC:\sekpaint20\SEKPaint2.vbp
                Source: 5e8fYZ8TM6.exe, 00000000.00000002.234276941.000000000046C000.00000004.00020000.sdmp, SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.481834265.000000000046C000.00000004.00020000.sdmpBinary or memory string: @*\AC:\sekpaint20\SEKPaint2.vbp
                Source: 5e8fYZ8TM6.exeBinary or memory string: F*\AC:\sekpaint20\SEKPaint2.vbp
                Source: 5e8fYZ8TM6.exe, 00000000.00000002.234276941.000000000046C000.00000004.00020000.sdmp, SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.481834265.000000000046C000.00000004.00020000.sdmpBinary or memory string: @*\AC:\sekpaint20\SEKPaint2.vbp
                Source: classification engineClassification label: mal80.troj.evad.winEXE@18/8@0/6
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,0_2_022A87D0
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,0_2_022A87D0
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF4CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,2_2_02AF4CB0
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF4CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,2_2_02AF4CB0
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,0_2_022A5070
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,0_2_022A5070
                Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
                Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5404:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5404:120:WilError_01
                Source: 5e8fYZ8TM6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: 5e8fYZ8TM6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: 5e8fYZ8TM6.exeMetadefender: Detection: 54%
                Source: 5e8fYZ8TM6.exeReversingLabs: Detection: 66%
                Source: 5e8fYZ8TM6.exeMetadefender: Detection: 54%
                Source: 5e8fYZ8TM6.exeReversingLabs: Detection: 66%
                Source: unknownProcess created: C:\Users\user\Desktop\5e8fYZ8TM6.exe 'C:\Users\user\Desktop\5e8fYZ8TM6.exe'
                Source: unknownProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
                Source: unknownProcess created: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess created: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\5e8fYZ8TM6.exe 'C:\Users\user\Desktop\5e8fYZ8TM6.exe'
                Source: unknownProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
                Source: unknownProcess created: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess created: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32Jump to behavior
                Source: 5e8fYZ8TM6.exeStatic PE information: real checksum: 0x8839b should be: 0x92711
                Source: 5e8fYZ8TM6.exeStatic PE information: real checksum: 0x8839b should be: 0x92711
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_0040C8B4 push es; retf 0_2_0040C8D3
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_0040C915 push ds; iretd 0_2_0040C91F
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5E10 push ecx; mov dword ptr [esp], 0000F5B3h0_2_022A5E11
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5EA0 push ecx; mov dword ptr [esp], 0000A3FDh0_2_022A5EA1
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5EF0 push ecx; mov dword ptr [esp], 0000669Ch0_2_022A5EF1
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5F20 push ecx; mov dword ptr [esp], 0000E36Ch0_2_022A5F21
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5CD0 push ecx; mov dword ptr [esp], 00001CE1h0_2_022A5CD1
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5D20 push ecx; mov dword ptr [esp], 0000C5A1h0_2_022A5D21
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5D00 push ecx; mov dword ptr [esp], 00001F9Eh0_2_022A5D01
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5D50 push ecx; mov dword ptr [esp], 00006847h0_2_022A5D51
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5D90 push ecx; mov dword ptr [esp], 0000B2E0h0_2_022A5D91
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5DF0 push ecx; mov dword ptr [esp], 0000AAF5h0_2_022A5DF1
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5DC0 push ecx; mov dword ptr [esp], 000089FAh0_2_022A5DC1
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_0040C8B4 push es; retf 0_2_0040C8D3
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_0040C915 push ds; iretd 0_2_0040C91F
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5E10 push ecx; mov dword ptr [esp], 0000F5B3h0_2_022A5E11
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5EA0 push ecx; mov dword ptr [esp], 0000A3FDh0_2_022A5EA1
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5EF0 push ecx; mov dword ptr [esp], 0000669Ch0_2_022A5EF1
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5F20 push ecx; mov dword ptr [esp], 0000E36Ch0_2_022A5F21
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5CD0 push ecx; mov dword ptr [esp], 00001CE1h0_2_022A5CD1
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5D20 push ecx; mov dword ptr [esp], 0000C5A1h0_2_022A5D21
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5D00 push ecx; mov dword ptr [esp], 00001F9Eh0_2_022A5D01
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5D50 push ecx; mov dword ptr [esp], 00006847h0_2_022A5D51
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5D90 push ecx; mov dword ptr [esp], 0000B2E0h0_2_022A5D91
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5DF0 push ecx; mov dword ptr [esp], 0000AAF5h0_2_022A5DF1
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A5DC0 push ecx; mov dword ptr [esp], 000089FAh0_2_022A5DC1
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF5EA0 push ecx; mov dword ptr [esp], 0000A3FDh2_2_02AF5EA1
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF5D90 push ecx; mov dword ptr [esp], 0000B2E0h2_2_02AF5D91
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF5DF0 push ecx; mov dword ptr [esp], 0000AAF5h2_2_02AF5DF1
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF5EF0 push ecx; mov dword ptr [esp], 0000669Ch2_2_02AF5EF1
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF5DC0 push ecx; mov dword ptr [esp], 000089FAh2_2_02AF5DC1
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF5CD0 push ecx; mov dword ptr [esp], 00001CE1h2_2_02AF5CD1
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF5D20 push ecx; mov dword ptr [esp], 0000C5A1h2_2_02AF5D21
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF5F20 push ecx; mov dword ptr [esp], 0000E36Ch2_2_02AF5F21
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF5D00 push ecx; mov dword ptr [esp], 00001F9Eh2_2_02AF5D01
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF5E10 push ecx; mov dword ptr [esp], 0000F5B3h2_2_02AF5E11
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF5D50 push ecx; mov dword ptr [esp], 00006847h2_2_02AF5D51
                Source: initial sampleStatic PE information: section name: .text entropy: 6.95854234229
                Source: initial sampleStatic PE information: section name: .text entropy: 6.95854234229

                Persistence and Installation Behavior:

                barindex
                Drops executables to the windows directory (C:\Windows) and starts themShow sources
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeExecutable created and started: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeExecutable created and started: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exePE file moved: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exePE file moved: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeFile opened: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeFile opened: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Windows\splwow64.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Windows\splwow64.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,0_2_022A5070
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,0_2_022A5070
                Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 1077Jump to behavior
                Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 1077Jump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 1156Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 1156Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\splwow64.exeLast function: Thread delayed
                Source: C:\Windows\splwow64.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\splwow64.exeLast function: Thread delayed
                Source: C:\Windows\splwow64.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,0_2_022A38F0
                Source: C:\Users\user\Desktop\5e8fYZ8TM6.exeCode function: 0_2_022A38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,0_2_022A38F0
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeCode function: 2_2_02AF38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,2_2_02AF38F0
                Source: svchost.exe, 00000003.00000002.484675123.0000028B6F660000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
                Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: svchost.exe, 00000003.00000002.482245435.0000028B6A029000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW ofo
                Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.484638353.0000028B6F653000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000007.00000002.482240713.000001E91B602000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486279195.0000000003616000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWHfa
                Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: svchost.exe, 00000007.00000002.482320514.000001E91B640000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.481981398.0000026800668000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.482362022.0000029E4AE29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: svchost.exe, 00000003.00000002.484675123.0000028B6F660000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
                Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: svchost.exe, 00000003.00000002.482245435.0000028B6A029000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW ofo
                Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.484638353.0000028B6F653000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000007.00000002.482240713.000001E91B602000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486279195.0000000003616000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWHfa
                Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: svchost.exe, 00000007.00000002.482320514.000001E91B640000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.481981398.0000026800668000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.482362022.0000029E4AE29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exeProcess information queried: ProcessInformationJump to behavior