Loading ...

Play interactive tourEdit tour

Windows Analysis Report mormanti.exe

Overview

General Information

Sample Name:mormanti.exe
Analysis ID:449959
MD5:6c94edfea6e5ee001b00122c9d01bd8a
SHA1:a8d0cc5088ee86c2be77afe157695d12e951f369
SHA256:0154d1d06e755bda091168038f25c1dde101e3b77c66f88b73c71be84ffdaf6e
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to several IPs in different countries
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • mormanti.exe (PID: 3412 cmdline: 'C:\Users\user\Desktop\mormanti.exe' MD5: 6C94EDFEA6E5EE001B00122C9D01BD8A)
    • eventvwr.exe (PID: 2416 cmdline: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe MD5: 6C94EDFEA6E5EE001B00122C9D01BD8A)
  • svchost.exe (PID: 3148 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 384 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2168 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5924 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4744 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4880 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1276 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4936 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5588 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 3468 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 2648 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 4820 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["58.171.153.81:80", "104.131.103.128:443", "66.228.49.173:8080", "104.131.103.37:8080", "149.62.173.247:8080", "72.47.248.48:7080", "68.183.170.114:8080", "81.198.69.61:80", "217.13.106.14:8080", "77.90.136.129:8080", "217.199.160.224:7080", "178.79.163.131:8080", "2.47.112.152:80", "83.169.21.32:7080", "190.163.31.26:80", "185.94.252.27:443", "12.162.84.2:8080", "73.116.193.136:80", "177.72.13.80:80", "116.125.120.88:443", "213.181.91.224:80", "104.131.41.185:8080", "46.28.111.142:7080", "181.129.96.162:8080", "189.2.177.210:443", "111.67.12.221:8080", "189.194.58.119:80", "51.255.165.160:8080", "170.81.48.2:80", "177.74.228.34:80", "70.32.84.74:8080", "213.60.96.117:80", "186.250.52.226:8080", "70.32.115.157:8080", "190.190.148.27:8080", "204.225.249.100:7080", "192.241.143.52:8080", "202.62.39.111:80", "82.76.111.249:443", "190.147.137.153:443", "80.249.176.206:80", "91.219.169.180:80", "212.71.237.140:8080", "114.109.179.60:80", "5.196.35.138:7080", "87.106.46.107:8080", "190.6.193.152:8080", "172.104.169.32:8080", "186.103.141.250:443", "212.231.60.98:80", "147.91.184.91:80", "50.28.51.143:8080", "61.92.159.208:8080", "187.162.248.237:80", "191.182.6.118:80", "94.206.45.18:80", "219.92.13.25:80", "145.236.8.174:80", "89.32.150.160:8080", "93.151.186.85:80", "190.17.195.202:80", "181.120.79.227:80", "177.73.0.98:443", "192.241.146.84:8080", "217.160.182.191:8080", "68.183.190.199:8080", "137.74.106.111:7080", "177.144.135.2:80", "201.213.156.176:80", "82.196.15.205:8080", "104.236.161.64:8080", "209.236.123.42:8080", "77.55.211.77:8080", "177.66.190.130:80", "143.0.87.101:80", "94.176.234.118:443", "191.99.160.58:80", "185.94.252.12:80", "45.161.242.102:80", "181.36.42.205:443"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.465228013.0000000001140000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.203541228.0000000002DC1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.203533038.0000000002DB0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000002.00000002.465253689.0000000001151000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.mormanti.exe.2db053f.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            2.2.eventvwr.exe.114053f.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              0.2.mormanti.exe.2db053f.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                2.2.eventvwr.exe.114053f.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: mormanti.exeAvira: detected
                  Found malware configurationShow sources
                  Source: 0.2.mormanti.exe.2db053f.1.raw.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["58.171.153.81:80", "104.131.103.128:443", "66.228.49.173:8080", "104.131.103.37:8080", "149.62.173.247:8080", "72.47.248.48:7080", "68.183.170.114:8080", "81.198.69.61:80", "217.13.106.14:8080", "77.90.136.129:8080", "217.199.160.224:7080", "178.79.163.131:8080", "2.47.112.152:80", "83.169.21.32:7080", "190.163.31.26:80", "185.94.252.27:443", "12.162.84.2:8080", "73.116.193.136:80", "177.72.13.80:80", "116.125.120.88:443", "213.181.91.224:80", "104.131.41.185:8080", "46.28.111.142:7080", "181.129.96.162:8080", "189.2.177.210:443", "111.67.12.221:8080", "189.194.58.119:80", "51.255.165.160:8080", "170.81.48.2:80", "177.74.228.34:80", "70.32.84.74:8080", "213.60.96.117:80", "186.250.52.226:8080", "70.32.115.157:8080", "190.190.148.27:8080", "204.225.249.100:7080", "192.241.143.52:8080", "202.62.39.111:80", "82.76.111.249:443", "190.147.137.153:443", "80.249.176.206:80", "91.219.169.180:80", "212.71.237.140:8080", "114.109.179.60:80", "5.196.35.138:7080", "87.106.46.107:8080", "190.6.193.152:8080", "172.104.169.32:8080", "186.103.141.250:443", "212.231.60.98:80", "147.91.184.91:80", "50.28.51.143:8080", "61.92.159.208:8080", "187.162.248.237:80", "191.182.6.118:80", "94.206.45.18:80", "219.92.13.25:80", "145.236.8.174:80", "89.32.150.160:8080", "93.151.186.85:80", "190.17.195.202:80", "181.120.79.227:80", "177.73.0.98:443", "192.241.146.84:8080", "217.160.182.191:8080", "68.183.190.199:8080", "137.74.106.111:7080", "177.144.135.2:80", "201.213.156.176:80", "82.196.15.205:8080", "104.236.161.64:8080", "209.236.123.42:8080", "77.55.211.77:8080", "177.66.190.130:80", "143.0.87.101:80", "94.176.234.118:443", "191.99.160.58:80", "185.94.252.12:80", "45.161.242.102:80", "181.36.42.205:443"]}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: mormanti.exeVirustotal: Detection: 74%Perma Link
                  Source: mormanti.exeReversingLabs: Detection: 82%
                  Source: mormanti.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\mormanti.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dllJump to behavior
                  Source: mormanti.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb` source: mormanti.exe, 00000000.00000002.203184717.0000000000C14000.00000002.00020000.sdmp, eventvwr.exe, 00000002.00000002.465026006.0000000000C14000.00000002.00020000.sdmp
                  Source: Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb`@ source: mormanti.exe
                  Source: Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb source: mormanti.exe
                  Source: C:\Users\user\Desktop\mormanti.exeCode function: 0_2_02DC2871 FindFirstFileW,FindNextFileW,FindClose,0_2_02DC2871

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.131.103.37: -> 192.168.2.3:
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorIPs: 58.171.153.81:80
                  Source: Malware configuration extractorIPs: 104.131.103.128:443
                  Source: Malware configuration extractorIPs: 66.228.49.173:8080
                  Source: Malware configuration extractorIPs: 104.131.103.37:8080
                  Source: Malware configuration extractorIPs: 149.62.173.247:8080
                  Source: Malware configuration extractorIPs: 72.47.248.48:7080
                  Source: Malware configuration extractorIPs: 68.183.170.114:8080
                  Source: Malware configuration extractorIPs: 81.198.69.61:80
                  Source: Malware configuration extractorIPs: 217.13.106.14:8080
                  Source: Malware configuration extractorIPs: 77.90.136.129:8080
                  Source: Malware configuration extractorIPs: 217.199.160.224:7080
                  Source: Malware configuration extractorIPs: 178.79.163.131:8080
                  Source: Malware configuration extractorIPs: 2.47.112.152:80
                  Source: Malware configuration extractorIPs: 83.169.21.32:7080
                  Source: Malware configuration extractorIPs: 190.163.31.26:80
                  Source: Malware configuration extractorIPs: 185.94.252.27:443
                  Source: Malware configuration extractorIPs: 12.162.84.2:8080
                  Source: Malware configuration extractorIPs: 73.116.193.136:80
                  Source: Malware configuration extractorIPs: 177.72.13.80:80
                  Source: Malware configuration extractorIPs: 116.125.120.88:443
                  Source: Malware configuration extractorIPs: 213.181.91.224:80
                  Source: Malware configuration extractorIPs: 104.131.41.185:8080
                  Source: Malware configuration extractorIPs: 46.28.111.142:7080
                  Source: Malware configuration extractorIPs: 181.129.96.162:8080
                  Source: Malware configuration extractorIPs: 189.2.177.210:443
                  Source: Malware configuration extractorIPs: 111.67.12.221:8080
                  Source: Malware configuration extractorIPs: 189.194.58.119:80
                  Source: Malware configuration extractorIPs: 51.255.165.160:8080
                  Source: Malware configuration extractorIPs: 170.81.48.2:80
                  Source: Malware configuration extractorIPs: 177.74.228.34:80
                  Source: Malware configuration extractorIPs: 70.32.84.74:8080
                  Source: Malware configuration extractorIPs: 213.60.96.117:80
                  Source: Malware configuration extractorIPs: 186.250.52.226:8080
                  Source: Malware configuration extractorIPs: 70.32.115.157:8080
                  Source: Malware configuration extractorIPs: 190.190.148.27:8080
                  Source: Malware configuration extractorIPs: 204.225.249.100:7080
                  Source: Malware configuration extractorIPs: 192.241.143.52:8080
                  Source: Malware configuration extractorIPs: 202.62.39.111:80
                  Source: Malware configuration extractorIPs: 82.76.111.249:443
                  Source: Malware configuration extractorIPs: 190.147.137.153:443
                  Source: Malware configuration extractorIPs: 80.249.176.206:80
                  Source: Malware configuration extractorIPs: 91.219.169.180:80
                  Source: Malware configuration extractorIPs: 212.71.237.140:8080
                  Source: Malware configuration extractorIPs: 114.109.179.60:80
                  Source: Malware configuration extractorIPs: 5.196.35.138:7080
                  Source: Malware configuration extractorIPs: 87.106.46.107:8080
                  Source: Malware configuration extractorIPs: 190.6.193.152:8080
                  Source: Malware configuration extractorIPs: 172.104.169.32:8080
                  Source: Malware configuration extractorIPs: 186.103.141.250:443
                  Source: Malware configuration extractorIPs: 212.231.60.98:80
                  Source: Malware configuration extractorIPs: 147.91.184.91:80
                  Source: Malware configuration extractorIPs: 50.28.51.143:8080
                  Source: Malware configuration extractorIPs: 61.92.159.208:8080
                  Source: Malware configuration extractorIPs: 187.162.248.237:80
                  Source: Malware configuration extractorIPs: 191.182.6.118:80
                  Source: Malware configuration extractorIPs: 94.206.45.18:80
                  Source: Malware configuration extractorIPs: 219.92.13.25:80
                  Source: Malware configuration extractorIPs: 145.236.8.174:80
                  Source: Malware configuration extractorIPs: 89.32.150.160:8080
                  Source: Malware configuration extractorIPs: 93.151.186.85:80
                  Source: Malware configuration extractorIPs: 190.17.195.202:80
                  Source: Malware configuration extractorIPs: 181.120.79.227:80
                  Source: Malware configuration extractorIPs: 177.73.0.98:443
                  Source: Malware configuration extractorIPs: 192.241.146.84:8080
                  Source: Malware configuration extractorIPs: 217.160.182.191:8080
                  Source: Malware configuration extractorIPs: 68.183.190.199:8080
                  Source: Malware configuration extractorIPs: 137.74.106.111:7080
                  Source: Malware configuration extractorIPs: 177.144.135.2:80
                  Source: Malware configuration extractorIPs: 201.213.156.176:80
                  Source: Malware configuration extractorIPs: 82.196.15.205:8080
                  Source: Malware configuration extractorIPs: 104.236.161.64:8080
                  Source: Malware configuration extractorIPs: 209.236.123.42:8080
                  Source: Malware configuration extractorIPs: 77.55.211.77:8080
                  Source: Malware configuration extractorIPs: 177.66.190.130:80
                  Source: Malware configuration extractorIPs: 143.0.87.101:80
                  Source: Malware configuration extractorIPs: 94.176.234.118:443
                  Source: Malware configuration extractorIPs: 191.99.160.58:80
                  Source: Malware configuration extractorIPs: 185.94.252.12:80
                  Source: Malware configuration extractorIPs: 45.161.242.102:80
                  Source: Malware configuration extractorIPs: 181.36.42.205:443
                  Source: unknownNetwork traffic detected: IP country count 34
                  Source: global trafficTCP traffic: 192.168.2.3:49728 -> 66.228.49.173:8080
                  Source: global trafficTCP traffic: 192.168.2.3:49734 -> 104.131.103.37:8080
                  Source: global trafficTCP traffic: 192.168.2.3:49740 -> 149.62.173.247:8080
                  Source: global trafficTCP traffic: 192.168.2.3:49741 -> 72.47.248.48:7080
                  Source: global trafficTCP traffic: 192.168.2.3:49744 -> 68.183.170.114:8080
                  Source: Joe Sandbox ViewIP Address: 149.62.173.247 149.62.173.247
                  Source: Joe Sandbox ViewIP Address: 204.225.249.100 204.225.249.100
                  Source: Joe Sandbox ViewASN Name: INFORTELECOM-ASES INFORTELECOM-ASES
                  Source: Joe Sandbox ViewASN Name: CLAROSABR CLAROSABR
                  Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                  Source: unknownTCP traffic detected without corresponding DNS query: 58.171.153.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 58.171.153.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 58.171.153.81
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.131.103.128
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.131.103.128
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.131.103.128
                  Source: unknownTCP traffic detected without corresponding DNS query: 66.228.49.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 66.228.49.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 66.228.49.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.131.103.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.131.103.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.131.103.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 149.62.173.247
                  Source: unknownTCP traffic detected without corresponding DNS query: 149.62.173.247
                  Source: unknownTCP traffic detected without corresponding DNS query: 149.62.173.247
                  Source: unknownTCP traffic detected without corresponding DNS query: 72.47.248.48
                  Source: unknownTCP traffic detected without corresponding DNS query: 72.47.248.48
                  Source: unknownTCP traffic detected without corresponding DNS query: 72.47.248.48
                  Source: unknownTCP traffic detected without corresponding DNS query: 68.183.170.114
                  Source: unknownTCP traffic detected without corresponding DNS query: 68.183.170.114
                  Source: unknownTCP traffic detected without corresponding DNS query: 68.183.170.114
                  Source: eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmpString found in binary or memory: http://104.131.103.128:443/iNVKl1XPWZqml34fy2r/3FDoguFdfDtjz/
                  Source: eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmpString found in binary or memory: http://149.62.173.247/kH8ALNiaGV/5bEuMKuJNKlslD3n/rvXy2RpDwZlslOQBeY7/BCLTdgbwF6J8vsIGfDq/jZ9iV8xFle
                  Source: eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmpString found in binary or memory: http://149.62.173.247:8080/kH8ALNiaGV/5bEuMKuJNKlslD3n/rvXy2RpDwZlslOQBeY7/BCLTdgbwF6J8vsIGfDq/jZ9iV
                  Source: eventvwr.exe, 00000002.00000003.334412522.00000000034DC000.00000004.00000001.sdmpString found in binary or memory: http://58.171.153.81/j4XmHhlvX7h4pe/uu11HumRcyQn/3XzJ/ymPM07W/vKmfGodTznrrD/
                  Source: eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: http://66.228.49.173/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/
                  Source: eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: http://66.228.49.173:8080/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/
                  Source: eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: http://66.228.49.173:8080/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/s(KF
                  Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmpString found in binary or memory: http://68.183.170.114/nFzrf7w0/EO2pZ/MQ0xve/
                  Source: eventvwr.exe, 00000002.00000002.466095172.0000000002ED6000.00000004.00000001.sdmp, eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmpString found in binary or memory: http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/
                  Source: eventvwr.exe, 00000002.00000002.466095172.0000000002ED6000.00000004.00000001.sdmpString found in binary or memory: http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/:
                  Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmpString found in binary or memory: http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/c
                  Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmpString found in binary or memory: http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/
                  Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmpString found in binary or memory: http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/6O
                  Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmpString found in binary or memory: http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/CL:
                  Source: svchost.exe, 00000006.00000002.466542718.0000022B0E414000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                  Source: svchost.exe, 00000006.00000002.466542718.0000022B0E414000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                  Source: svchost.exe, 00000006.00000002.466542718.0000022B0E414000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                  Source: svchost.exe, 00000006.00000002.465692005.0000022B08EA3000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/
                  Source: svchost.exe, 00000006.00000002.466806888.0000022B0E690000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                  Source: svchost.exe, 0000000E.00000002.309089370.00000265B8A13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                  Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                  Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                  Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                  Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                  Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                  Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                  Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                  Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                  Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                  Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                  Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                  Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                  Source: svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                  Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                  Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                  Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                  Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                  Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                  Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                  Source: svchost.exe, 0000000E.00000002.309153516.00000265B8A42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                  Source: svchost.exe, 0000000E.00000002.309153516.00000265B8A42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                  Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                  Source: svchost.exe, 0000000E.00000002.309177417.00000265B8A58000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                  Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                  Source: svchost.exe, 0000000E.00000002.309177417.00000265B8A58000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                  Source: svchost.exe, 0000000E.00000002.309177417.00000265B8A58000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                  Source: svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309153516.00000265B8A42000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                  Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                  Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                  Source: svchost.exe, 0000000E.00000003.286870020.00000265B8A31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                  Source: eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: https://fs.microsoft.c
                  Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                  Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309089370.00000265B8A13000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                  Source: svchost.exe, 0000000E.00000003.286870020.00000265B8A31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                  Source: svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                  Source: svchost.exe, 0000000E.00000003.286870020.00000265B8A31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                  Source: svchost.exe, 0000000E.00000003.308721293.00000265B8A3A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                  Source: svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727

                  E-Banking Fraud:

                  barindex
                  Yara detected EmotetShow sources
                  Source: Yara matchFile source: 0.2.mormanti.exe.2db053f.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.eventvwr.exe.114053f.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.mormanti.exe.2db053f.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.eventvwr.exe.114053f.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.465228013.0000000001140000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.203541228.0000000002DC1000.00000020.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.203533038.0000000002DB0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.465253689.0000000001151000.00000020.00000001.sdmp, type: MEMORY
                  Source: C:\Users\user\Desktop\mormanti.exeFile created: C:\Windows\SysWOW64\msmpeg2vdec\Jump to behavior
                  Source: C:\Users\user\Desktop\mormanti.exeFile deleted: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe:Zone.IdentifierJump to behavior
                  Source: C:\Users\user\Desktop\mormanti.exeCode function: 0_2_02DB23AF0_2_02DB23AF
                  Source: C:\Users\user\Desktop\mormanti.exeCode function: 0_2_02DB253B0_2_02DB253B
                  Source: C:\Users\user\Desktop\mormanti.exeCode function: 0_2_02DC2BFC0_2_02DC2BFC
                  Source: C:\Users\user\Desktop\mormanti.exeCode function: 0_2_02DC2A700_2_02DC2A70
                  Source: mormanti.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: mormanti.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: mormanti.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: mormanti.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: mormanti.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: mormanti.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: mormanti.exe, 00000000.00000002.203709994.0000000003060000.00000002.00000001.sdmpBinary or memory string: originalfilename vs mormanti.exe
                  Source: mormanti.exe, 00000000.00000002.203709994.0000000003060000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs mormanti.exe
                  Source: mormanti.exe, 00000000.00000002.203665960.0000000003000000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs mormanti.exe
                  Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                  Source: mormanti.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@17/8@0/81
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5024:120:WilError_01
                  Source: C:\Users\user\Desktop\mormanti.exeCommand line argument: schtasks.exe0_2_00C121FD
                  Source: C:\Users\user\Desktop\mormanti.exeCommand line argument: 40960_2_00C121FD
                  Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exeCommand line argument: schtasks.exe2_2_00C121FD
                  Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exeCommand line argument: 40962_2_00C121FD
                  Source: mormanti.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\mormanti.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\mormanti.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: mormanti.exeVirustotal: Detection: 74%
                  Source: mormanti.exeReversingLabs: Detection: 82%
                  Source: unknownProcess created: C:\Users\user\Desktop\mormanti.exe 'C:\Users\user\Desktop\mormanti.exe'
                  Source: C:\Users\user\Desktop\mormanti.exeProcess created: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                  Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\mormanti.exeProcess created: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exeJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                  Source: C:\Users\user\Desktop\mormanti.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\mormanti.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dllJump to behavior
                  Source: mormanti.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: mormanti.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: mormanti.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: mormanti.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: mormanti.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: mormanti.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: mormanti.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: mormanti.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb` source: mormanti.exe, 00000000.00000002.203184717.0000000000C14000.00000002.00020000.sdmp, eventvwr.exe, 00000002.00000002.465026006.0000000000C14000.00000002.00020000.sdmp
                  Source: Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb`@ source: mormanti.exe
                  Source: Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb source: mormanti.exe
                  Source: mormanti.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: mormanti.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: mormanti.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: mormanti.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: mormanti.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\mormanti.exeCode function: 0_2_00C12D89 push ecx; ret 0_2_00C12D9C
                  Source: C:\Users\user\Desktop\mormanti.exeCode function: 0_2_00C13121 push ecx; ret 0_2_00C13134
                  Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exeCode function: 2_2_00C12D89 push ecx; ret 2_2_00C12D9C
                  Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exeCode function: 2_2_00C13121 push ecx; ret 2_2_00C13134

                  Persistence and Installation Behavior:

                  barindex
                  Drops executables to the windows directory (C:\Windows) and starts themShow sources
                  Source: C:\Users\user\Desktop\mormanti.exeExecutable created and started: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exeJump to behavior
                  Source: C:\Users\user\Desktop\mormanti.exePE file moved: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exeJump to behavior

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                  Source: C:\Users\user\Desktop\mormanti.exeFile opened: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\mormanti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                  Source: C:\Users\user\Desktop\mormanti.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-6572
                  Source: C:\Windows\System32\svchost.exe TID: 3980Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\mormanti.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\mormanti.exeCode function: 0_2_02DC2871 FindFirstFileW,FindNextFileW,FindClose,0_2_02DC2871
                  Source: svchost.exe, 00000005.00000002.227092288.0000025121F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.276841534.000001F85F660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.291456589.000001F7F1260000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.466345591.000001C4ADF40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: svchost.exe, 00000006.00000002.466653401.0000022B0E460000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                  Source: eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.466637022.0000022B0E453000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                  Source: svchost.exe, 0000000A.00000002.465149550.000001E006C02000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                  Source: svchost.exe, 00000005.00000002.227092288.0000025121F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.276841534.000001F85F660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.291456589.000001F7F1260000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.466345591.000001C4ADF40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: svchost.exe, 00000005.00000002.227092288.0000025121F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.276841534.000001F85F660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.291456589.000001F7F1260000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.466345591.000001C4ADF40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: svchost.exe, 00000006.00000002.465518449.0000022B08E29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@aF
                  Source: svchost.exe, 0000000A.00000002.465212488.000001E006C29000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.465407534.000001C4AD251000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.465492639.0000016AC822A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: svchost.exe, 00000005.00000002.227092288.0000025121F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.276841534.000001F85F660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.291456589.000001F7F1260000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.466345591.000001C4ADF40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\mormanti.exeCode function: 0_2_00C1272C IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,0_2_00C1272C
                  Source: C:\Users\user\Desktop\mormanti.exeCode function: 0_2_00C11FF2 mov eax, dword ptr fs:[00000030h]0_2_00C11FF2
                  Source: C:\Users\user\Desktop\mormanti.exeCode function: 0_2_02DB304D mov eax, dword ptr fs:[00000030h]0_2_02DB304D
                  Source: C:\Users\user\Desktop\mormanti.exeCode function: 0_2_02DB0467 mov eax, dword ptr fs:[00000030h]0_2_02DB0467
                  Source: C:\Users\user\Desktop\mormanti.exeCode function: 0_2_02DB277C mov eax, dword ptr fs:[00000030h]0_2_02DB277C
                  Source: C:\Users\user\Desktop\mormanti.exeCode function: 0_2_02DC370E mov eax, dword ptr fs:[00000030h]0_2_02DC370E
                  Source: C:\Users\user\Desktop\mormanti.exeCode function: 0_2_02DC2E3D mov eax, dword ptr fs:[00000030h]0_2_02DC2E3D
                  Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exeCode function: 2_2_00C11FF2 mov eax, dword ptr fs:[00000030h]2_2_00C11FF2
                  Source: C:\Users\user\Desktop\mormanti.exeCode function: 0_2_00C1272C IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,0_2_00C1272C
                  Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exeCode function: 2_2_00C1272C IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,2_2_00C1272C