Loading ...

Play interactive tourEdit tour

Windows Analysis Report KNEa2w7v3a.exe

Overview

General Information

Sample Name:KNEa2w7v3a.exe
Analysis ID:463770
MD5:f8adcf71a8c4e5c16d11308dff998ece
SHA1:2246c5925aca1446078a4cacbafeda7076eb050a
SHA256:5303823581f2696ae62f21e42a8b0c4d446d2fa9f820e0f04a15992d6a59c59b
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to several IPs in different countries
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 5868 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • KNEa2w7v3a.exe (PID: 5700 cmdline: 'C:\Users\user\Desktop\KNEa2w7v3a.exe' MD5: F8ADCF71A8C4E5C16D11308DFF998ECE)
    • wiaacmgr.exe (PID: 6124 cmdline: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe MD5: F8ADCF71A8C4E5C16D11308DFF998ECE)
  • svchost.exe (PID: 5376 cmdline: c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1736 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4260 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5900 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2024 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4364 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6076 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4788 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5728 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 496 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 1180 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 4072 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 720 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 1396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["190.202.229.74:80", "118.69.11.81:7080", "70.39.251.94:8080", "87.230.25.43:8080", "94.23.62.116:8080", "37.187.161.206:8080", "45.46.37.97:80", "138.97.60.141:7080", "177.144.130.105:8080", "169.1.39.242:80", "209.236.123.42:8080", "202.134.4.210:7080", "193.251.77.110:80", "2.45.176.233:80", "217.13.106.14:8080", "189.223.16.99:80", "190.101.156.139:80", "77.238.212.227:80", "181.58.181.9:80", "37.183.81.217:80", "74.58.215.226:80", "174.118.202.24:443", "168.197.45.36:80", "81.215.230.173:443", "192.175.111.212:7080", "216.47.196.104:80", "128.92.203.42:80", "94.176.234.118:443", "191.182.6.118:80", "212.71.237.140:8080", "24.232.228.233:80", "177.73.0.98:443", "177.23.7.151:80", "24.135.69.146:80", "83.169.21.32:7080", "189.34.181.88:80", "179.222.115.170:80", "177.144.130.105:443", "213.197.182.158:8080", "5.89.33.136:80", "77.78.196.173:443", "120.72.18.91:80", "50.28.51.143:8080", "190.64.88.186:443", "111.67.12.221:8080", "12.162.84.2:8080", "46.105.114.137:8080", "59.148.253.194:8080", "201.213.177.139:80", "82.76.52.155:80", "172.104.169.32:8080", "188.251.213.180:80", "46.43.2.95:8080", "137.74.106.111:7080", "188.135.15.49:80", "185.94.252.27:443", "197.232.36.108:80", "60.249.78.226:8080", "187.162.248.237:80", "181.129.96.162:8080", "46.101.58.37:8080", "109.242.153.9:80", "178.211.45.66:8080", "200.59.6.174:80", "83.103.179.156:80", "172.86.186.21:8080", "70.32.115.157:8080", "81.214.253.80:443", "201.49.239.200:443", "149.202.72.142:7080", "190.45.24.210:80", "186.189.249.2:80", "219.92.13.25:80", "170.81.48.2:80", "51.75.33.127:80", "192.241.143.52:8080", "45.33.77.42:8080", "152.169.22.67:80", "1.226.84.243:8080", "78.206.229.130:80", "37.179.145.105:80", "68.183.170.114:8080", "192.232.229.54:7080", "103.236.179.162:80", "70.32.84.74:8080", "79.118.74.90:80", "60.93.23.51:80", "181.120.29.49:80", "213.52.74.198:80", "51.255.165.160:8080", "183.176.82.231:80", "186.193.229.123:80", "98.103.204.12:443", "129.232.220.11:8080", "181.61.182.143:80", "68.183.190.199:8080", "190.115.18.139:8080", "200.24.255.23:80", "103.13.224.53:80", "85.214.26.7:8080", "190.24.243.186:80", "87.106.46.107:8080", "177.107.79.214:8080", "12.163.208.58:80", "187.162.250.23:443", "109.101.137.162:8080", "82.76.111.249:443", "181.30.61.163:443", "5.196.35.138:7080", "51.15.7.145:80", "192.198.91.138:443", "188.157.101.114:80", "189.2.177.210:443", "181.123.6.86:80", "109.190.35.249:80", "45.16.226.117:443", "190.190.219.184:80", "104.131.41.185:8080", "101.187.81.254:80", "62.84.75.50:80", "178.250.54.208:8080", "201.71.228.86:80", "190.92.122.226:80", "138.97.60.140:8080"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.471191876.00000000020F0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.206004453.0000000002641000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000004.00000002.210049440.0000000002181000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000001.00000002.205611516.0000000002294000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000005.00000002.471538485.0000000002211000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.wiaacmgr.exe.20c052e.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              4.2.wiaacmgr.exe.2180000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                5.2.Windows.Media.Playback.MediaPlayer.exe.20f052e.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  1.2.KNEa2w7v3a.exe.223279e.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    1.2.KNEa2w7v3a.exe.223052e.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 10 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: KNEa2w7v3a.exeAvira: detected
                      Found malware configurationShow sources
                      Source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f052e.1.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["190.202.229.74:80", "118.69.11.81:7080", "70.39.251.94:8080", "87.230.25.43:8080", "94.23.62.116:8080", "37.187.161.206:8080", "45.46.37.97:80", "138.97.60.141:7080", "177.144.130.105:8080", "169.1.39.242:80", "209.236.123.42:8080", "202.134.4.210:7080", "193.251.77.110:80", "2.45.176.233:80", "217.13.106.14:8080", "189.223.16.99:80", "190.101.156.139:80", "77.238.212.227:80", "181.58.181.9:80", "37.183.81.217:80", "74.58.215.226:80", "174.118.202.24:443", "168.197.45.36:80", "81.215.230.173:443", "192.175.111.212:7080", "216.47.196.104:80", "128.92.203.42:80", "94.176.234.118:443", "191.182.6.118:80", "212.71.237.140:8080", "24.232.228.233:80", "177.73.0.98:443", "177.23.7.151:80", "24.135.69.146:80", "83.169.21.32:7080", "189.34.181.88:80", "179.222.115.170:80", "177.144.130.105:443", "213.197.182.158:8080", "5.89.33.136:80", "77.78.196.173:443", "120.72.18.91:80", "50.28.51.143:8080", "190.64.88.186:443", "111.67.12.221:8080", "12.162.84.2:8080", "46.105.114.137:8080", "59.148.253.194:8080", "201.213.177.139:80", "82.76.52.155:80", "172.104.169.32:8080", "188.251.213.180:80", "46.43.2.95:8080", "137.74.106.111:7080", "188.135.15.49:80", "185.94.252.27:443", "197.232.36.108:80", "60.249.78.226:8080", "187.162.248.237:80", "181.129.96.162:8080", "46.101.58.37:8080", "109.242.153.9:80", "178.211.45.66:8080", "200.59.6.174:80", "83.103.179.156:80", "172.86.186.21:8080", "70.32.115.157:8080", "81.214.253.80:443", "201.49.239.200:443", "149.202.72.142:7080", "190.45.24.210:80", "186.189.249.2:80", "219.92.13.25:80", "170.81.48.2:80", "51.75.33.127:80", "192.241.143.52:8080", "45.33.77.42:8080", "152.169.22.67:80", "1.226.84.243:8080", "78.206.229.130:80", "37.179.145.105:80", "68.183.170.114:8080", "192.232.229.54:7080", "103.236.179.162:80", "70.32.84.74:8080", "79.118.74.90:80", "60.93.23.51:80", "181.120.29.49:80", "213.52.74.198:80", "51.255.165.160:8080", "183.176.82.231:80", "186.193.229.123:80", "98.103.204.12:443", "129.232.220.11:8080", "181.61.182.143:80", "68.183.190.199:8080", "190.115.18.139:8080", "200.24.255.23:80", "103.13.224.53:80", "85.214.26.7:8080", "190.24.243.186:80", "87.106.46.107:8080", "177.107.79.214:8080", "12.163.208.58:80", "187.162.250.23:443", "109.101.137.162:8080", "82.76.111.249:443", "181.30.61.163:443", "5.196.35.138:7080", "51.15.7.145:80", "192.198.91.138:443", "188.157.101.114:80", "189.2.177.210:443", "181.123.6.86:80", "109.190.35.249:80", "45.16.226.117:443", "190.190.219.184:80", "104.131.41.185:8080", "101.187.81.254:80", "62.84.75.50:80", "178.250.54.208:8080", "201.71.228.86:80", "190.92.122.226:80", "138.97.60.140:8080"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: KNEa2w7v3a.exeVirustotal: Detection: 88%Perma Link
                      Source: KNEa2w7v3a.exeMetadefender: Detection: 48%Perma Link
                      Source: KNEa2w7v3a.exeReversingLabs: Detection: 96%
                      Machine Learning detection for sampleShow sources
                      Source: KNEa2w7v3a.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_00401600 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,EncryptFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,CreateWindowExA,ShowWindow,UpdateWindow,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,TranslateMessage,DispatchMessageA,GetMessageA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,1_2_00401600
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_00401600 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,EncryptFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,CreateWindowExA,ShowWindow,UpdateWindow,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,TranslateMessage,DispatchMessageA,GetMessageA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,4_2_00401600
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_00401600 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,EncryptFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,CreateWindowExA,ShowWindow,UpdateWindow,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,TranslateMessage,DispatchMessageA,GetMessageA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,5_2_00401600
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_02212680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,5_2_02212680
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_022122C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam,5_2_022122C0
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_02211FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap,5_2_02211FF0
                      Source: KNEa2w7v3a.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_02643A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,1_2_02643A20
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_02183A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,4_2_02183A20
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_02213A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,5_2_02213A20

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 190.202.229.74:80
                      Source: Malware configuration extractorIPs: 118.69.11.81:7080
                      Source: Malware configuration extractorIPs: 70.39.251.94:8080
                      Source: Malware configuration extractorIPs: 87.230.25.43:8080
                      Source: Malware configuration extractorIPs: 94.23.62.116:8080
                      Source: Malware configuration extractorIPs: 37.187.161.206:8080
                      Source: Malware configuration extractorIPs: 45.46.37.97:80
                      Source: Malware configuration extractorIPs: 138.97.60.141:7080
                      Source: Malware configuration extractorIPs: 177.144.130.105:8080
                      Source: Malware configuration extractorIPs: 169.1.39.242:80
                      Source: Malware configuration extractorIPs: 209.236.123.42:8080
                      Source: Malware configuration extractorIPs: 202.134.4.210:7080
                      Source: Malware configuration extractorIPs: 193.251.77.110:80
                      Source: Malware configuration extractorIPs: 2.45.176.233:80
                      Source: Malware configuration extractorIPs: 217.13.106.14:8080
                      Source: Malware configuration extractorIPs: 189.223.16.99:80
                      Source: Malware configuration extractorIPs: 190.101.156.139:80
                      Source: Malware configuration extractorIPs: 77.238.212.227:80
                      Source: Malware configuration extractorIPs: 181.58.181.9:80
                      Source: Malware configuration extractorIPs: 37.183.81.217:80
                      Source: Malware configuration extractorIPs: 74.58.215.226:80
                      Source: Malware configuration extractorIPs: 174.118.202.24:443
                      Source: Malware configuration extractorIPs: 168.197.45.36:80
                      Source: Malware configuration extractorIPs: 81.215.230.173:443
                      Source: Malware configuration extractorIPs: 192.175.111.212:7080
                      Source: Malware configuration extractorIPs: 216.47.196.104:80
                      Source: Malware configuration extractorIPs: 128.92.203.42:80
                      Source: Malware configuration extractorIPs: 94.176.234.118:443
                      Source: Malware configuration extractorIPs: 191.182.6.118:80
                      Source: Malware configuration extractorIPs: 212.71.237.140:8080
                      Source: Malware configuration extractorIPs: 24.232.228.233:80
                      Source: Malware configuration extractorIPs: 177.73.0.98:443
                      Source: Malware configuration extractorIPs: 177.23.7.151:80
                      Source: Malware configuration extractorIPs: 24.135.69.146:80
                      Source: Malware configuration extractorIPs: 83.169.21.32:7080
                      Source: Malware configuration extractorIPs: 189.34.181.88:80
                      Source: Malware configuration extractorIPs: 179.222.115.170:80
                      Source: Malware configuration extractorIPs: 177.144.130.105:443
                      Source: Malware configuration extractorIPs: 213.197.182.158:8080
                      Source: Malware configuration extractorIPs: 5.89.33.136:80
                      Source: Malware configuration extractorIPs: 77.78.196.173:443
                      Source: Malware configuration extractorIPs: 120.72.18.91:80
                      Source: Malware configuration extractorIPs: 50.28.51.143:8080
                      Source: Malware configuration extractorIPs: 190.64.88.186:443
                      Source: Malware configuration extractorIPs: 111.67.12.221:8080
                      Source: Malware configuration extractorIPs: 12.162.84.2:8080
                      Source: Malware configuration extractorIPs: 46.105.114.137:8080
                      Source: Malware configuration extractorIPs: 59.148.253.194:8080
                      Source: Malware configuration extractorIPs: 201.213.177.139:80
                      Source: Malware configuration extractorIPs: 82.76.52.155:80
                      Source: Malware configuration extractorIPs: 172.104.169.32:8080
                      Source: Malware configuration extractorIPs: 188.251.213.180:80
                      Source: Malware configuration extractorIPs: 46.43.2.95:8080
                      Source: Malware configuration extractorIPs: 137.74.106.111:7080
                      Source: Malware configuration extractorIPs: 188.135.15.49:80
                      Source: Malware configuration extractorIPs: 185.94.252.27:443
                      Source: Malware configuration extractorIPs: 197.232.36.108:80
                      Source: Malware configuration extractorIPs: 60.249.78.226:8080
                      Source: Malware configuration extractorIPs: 187.162.248.237:80
                      Source: Malware configuration extractorIPs: 181.129.96.162:8080
                      Source: Malware configuration extractorIPs: 46.101.58.37:8080
                      Source: Malware configuration extractorIPs: 109.242.153.9:80
                      Source: Malware configuration extractorIPs: 178.211.45.66:8080
                      Source: Malware configuration extractorIPs: 200.59.6.174:80
                      Source: Malware configuration extractorIPs: 83.103.179.156:80
                      Source: Malware configuration extractorIPs: 172.86.186.21:8080
                      Source: Malware configuration extractorIPs: 70.32.115.157:8080
                      Source: Malware configuration extractorIPs: 81.214.253.80:443
                      Source: Malware configuration extractorIPs: 201.49.239.200:443
                      Source: Malware configuration extractorIPs: 149.202.72.142:7080
                      Source: Malware configuration extractorIPs: 190.45.24.210:80
                      Source: Malware configuration extractorIPs: 186.189.249.2:80
                      Source: Malware configuration extractorIPs: 219.92.13.25:80
                      Source: Malware configuration extractorIPs: 170.81.48.2:80
                      Source: Malware configuration extractorIPs: 51.75.33.127:80
                      Source: Malware configuration extractorIPs: 192.241.143.52:8080
                      Source: Malware configuration extractorIPs: 45.33.77.42:8080
                      Source: Malware configuration extractorIPs: 152.169.22.67:80
                      Source: Malware configuration extractorIPs: 1.226.84.243:8080
                      Source: Malware configuration extractorIPs: 78.206.229.130:80
                      Source: Malware configuration extractorIPs: 37.179.145.105:80
                      Source: Malware configuration extractorIPs: 68.183.170.114:8080
                      Source: Malware configuration extractorIPs: 192.232.229.54:7080
                      Source: Malware configuration extractorIPs: 103.236.179.162:80
                      Source: Malware configuration extractorIPs: 70.32.84.74:8080
                      Source: Malware configuration extractorIPs: 79.118.74.90:80
                      Source: Malware configuration extractorIPs: 60.93.23.51:80
                      Source: Malware configuration extractorIPs: 181.120.29.49:80
                      Source: Malware configuration extractorIPs: 213.52.74.198:80
                      Source: Malware configuration extractorIPs: 51.255.165.160:8080
                      Source: Malware configuration extractorIPs: 183.176.82.231:80
                      Source: Malware configuration extractorIPs: 186.193.229.123:80
                      Source: Malware configuration extractorIPs: 98.103.204.12:443
                      Source: Malware configuration extractorIPs: 129.232.220.11:8080
                      Source: Malware configuration extractorIPs: 181.61.182.143:80
                      Source: Malware configuration extractorIPs: 68.183.190.199:8080
                      Source: Malware configuration extractorIPs: 190.115.18.139:8080
                      Source: Malware configuration extractorIPs: 200.24.255.23:80
                      Source: Malware configuration extractorIPs: 103.13.224.53:80
                      Source: Malware configuration extractorIPs: 85.214.26.7:8080
                      Source: Malware configuration extractorIPs: 190.24.243.186:80
                      Source: Malware configuration extractorIPs: 87.106.46.107:8080
                      Source: Malware configuration extractorIPs: 177.107.79.214:8080
                      Source: Malware configuration extractorIPs: 12.163.208.58:80
                      Source: Malware configuration extractorIPs: 187.162.250.23:443
                      Source: Malware configuration extractorIPs: 109.101.137.162:8080
                      Source: Malware configuration extractorIPs: 82.76.111.249:443
                      Source: Malware configuration extractorIPs: 181.30.61.163:443
                      Source: Malware configuration extractorIPs: 5.196.35.138:7080
                      Source: Malware configuration extractorIPs: 51.15.7.145:80
                      Source: Malware configuration extractorIPs: 192.198.91.138:443
                      Source: Malware configuration extractorIPs: 188.157.101.114:80
                      Source: Malware configuration extractorIPs: 189.2.177.210:443
                      Source: Malware configuration extractorIPs: 181.123.6.86:80
                      Source: Malware configuration extractorIPs: 109.190.35.249:80
                      Source: Malware configuration extractorIPs: 45.16.226.117:443
                      Source: Malware configuration extractorIPs: 190.190.219.184:80
                      Source: Malware configuration extractorIPs: 104.131.41.185:8080
                      Source: Malware configuration extractorIPs: 101.187.81.254:80
                      Source: Malware configuration extractorIPs: 62.84.75.50:80
                      Source: Malware configuration extractorIPs: 178.250.54.208:8080
                      Source: Malware configuration extractorIPs: 201.71.228.86:80
                      Source: Malware configuration extractorIPs: 190.92.122.226:80
                      Source: Malware configuration extractorIPs: 138.97.60.140:8080
                      Source: unknownNetwork traffic detected: IP country count 38
                      Source: global trafficTCP traffic: 192.168.2.3:49732 -> 118.69.11.81:7080
                      Source: global trafficTCP traffic: 192.168.2.3:49734 -> 70.39.251.94:8080
                      Source: global trafficTCP traffic: 192.168.2.3:49743 -> 87.230.25.43:8080
                      Source: global trafficTCP traffic: 192.168.2.3:49746 -> 94.23.62.116:8080
                      Source: global trafficTCP traffic: 192.168.2.3:49747 -> 37.187.161.206:8080
                      Source: Joe Sandbox ViewIP Address: 81.214.253.80 81.214.253.80
                      Source: Joe Sandbox ViewIP Address: 94.176.234.118 94.176.234.118
                      Source: Joe Sandbox ViewASN Name: TTNETTR TTNETTR
                      Source: Joe Sandbox ViewASN Name: RACKRAYUABRakrejusLT RACKRAYUABRakrejusLT
                      Source: global trafficTCP traffic: 192.168.2.3:49723 -> 190.202.229.74:80
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.202.229.74
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.202.229.74
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.202.229.74
                      Source: unknownTCP traffic detected without corresponding DNS query: 118.69.11.81
                      Source: unknownTCP traffic detected without corresponding DNS query: 118.69.11.81
                      Source: unknownTCP traffic detected without corresponding DNS query: 118.69.11.81
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.39.251.94
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.39.251.94
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.39.251.94
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.230.25.43
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.230.25.43
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.230.25.43
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                      Source: unknownTCP traffic detected without corresponding DNS query: 37.187.161.206
                      Source: unknownTCP traffic detected without corresponding DNS query: 37.187.161.206
                      Source: unknownTCP traffic detected without corresponding DNS query: 37.187.161.206
                      Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmpString found in binary or memory: http://118.69.11.81:7080/cLGKs29k/
                      Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmpString found in binary or memory: http://118.69.11.81:7080/cLGKs29k/$
                      Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmpString found in binary or memory: http://118.69.11.81:7080/cLGKs29k/0
                      Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000003.295761237.000000000232D000.00000004.00000001.sdmpString found in binary or memory: http://190.202.229.74/u2xUhDP9gvOFSFief0/IRiW/IMV8TOoDabstev/
                      Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000003.295761237.000000000232D000.00000004.00000001.sdmpString found in binary or memory: http://190.202.229.74/u2xUhDP9gvOFSFief0/IRiW/IMV8TOoDabstev/N
                      Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmpString found in binary or memory: http://37.187.161.206:8080/AJT6ih/yjZb/vgDNbB0LE6VNEd/
                      Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmpString found in binary or memory: http://70.39.251.94:8080/blOro9t0iLZ/z7z
                      Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmpString found in binary or memory: http://70.39.251.94:8080/blOro9t7
                      Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471741562.0000000002314000.00000004.00000001.sdmpString found in binary or memory: http://94.23.62.116:8080/TkDGGoG/EjmXKjEQOJnYdPvRd/
                      Source: svchost.exe, 00000008.00000002.473175094.0000025EF6612000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: svchost.exe, 00000008.00000002.473175094.0000025EF6612000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: svchost.exe, 00000008.00000002.473175094.0000025EF6612000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: svchost.exe, 00000008.00000002.471064115.0000025EF0EA8000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/
                      Source: svchost.exe, 00000008.00000002.471064115.0000025EF0EA8000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: svchost.exe, 00000008.00000002.471064115.0000025EF0EA8000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: svchost.exe, 00000008.00000002.472934812.0000025EF6490000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: svchost.exe, 0000000E.00000002.309780751.000001EB87013000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000E.00000003.309511986.000001EB87049000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000E.00000003.309574519.000001EB87050000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000E.00000003.309526286.000001EB87040000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000E.00000003.309526286.000001EB87040000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000E.00000003.309526286.000001EB87040000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
                      Source: svchost.exe, 0000000E.00000003.309511986.000001EB87049000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.309483788.000001EB87063000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.309511986.000001EB87049000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309780751.000001EB87013000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.309526286.000001EB87040000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000E.00000003.309574519.000001EB87050000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: KNEa2w7v3a.exe, 00000001.00000002.205452158.000000000069A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 4.2.wiaacmgr.exe.20c052e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.wiaacmgr.exe.2180000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f052e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.KNEa2w7v3a.exe.223279e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.KNEa2w7v3a.exe.223052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.KNEa2w7v3a.exe.223052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f279e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f279e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.wiaacmgr.exe.20c052e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Windows.Media.Playback.MediaPlayer.exe.2210000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.KNEa2w7v3a.exe.2640000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.wiaacmgr.exe.20c279e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.wiaacmgr.exe.20c279e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f052e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.KNEa2w7v3a.exe.223279e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.471191876.00000000020F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.206004453.0000000002641000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.210049440.0000000002181000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.205611516.0000000002294000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.471538485.0000000002211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.209938070.0000000002124000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.471462272.00000000021B4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.205562844.0000000002230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.209835926.00000000020C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_02212680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,5_2_02212680
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_021891E0 OpenSCManagerW,CloseServiceHandle,DeleteService,CloseServiceHandle,4_2_021891E0
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeFile created: C:\Windows\SysWOW64\rdvgogl32\Jump to behavior
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeFile deleted: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe:Zone.IdentifierJump to behavior
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_026483301_2_02648330
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_026486F01_2_026486F0
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_026468601_2_02646860
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_02647B301_2_02647B30
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_02643CE01_2_02643CE0
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_02643EE01_2_02643EE0
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_026442C91_2_026442C9
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_026441B71_2_026441B7
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_026441901_2_02644190
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_02235E671_2_02235E67
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_02235A7E1_2_02235A7E
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_0223A28E1_2_0223A28E
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_022396CE1_2_022396CE
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_02239ECE1_2_02239ECE
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_022383FE1_2_022383FE
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_0223587E1_2_0223587E
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_02235D2E1_2_02235D2E
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_02235D551_2_02235D55
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_021883304_2_02188330
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_021886F04_2_021886F0
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_02187B304_2_02187B30
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_021868604_2_02186860
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_021841904_2_02184190
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_021841B74_2_021841B7
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_021842C94_2_021842C9
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_02183CE04_2_02183CE0
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_02183EE04_2_02183EE0
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_020C5E674_2_020C5E67
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_020C5A7E4_2_020C5A7E
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_020CA28E4_2_020CA28E
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_020C96CE4_2_020C96CE
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_020C9ECE4_2_020C9ECE
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_020C83FE4_2_020C83FE
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_020C587E4_2_020C587E
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_020C5D2E4_2_020C5D2E
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: 4_2_020C5D554_2_020C5D55
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_022186F05_2_022186F0
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_022183305_2_02218330
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_02217B305_2_02217B30
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_022168605_2_02216860
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_022141B75_2_022141B7
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_022141905_2_02214190
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_02213CE05_2_02213CE0
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_02213EE05_2_02213EE0
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_022142C95_2_022142C9
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_020F5E675_2_020F5E67
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_020F5A7E5_2_020F5A7E
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_020FA28E5_2_020FA28E
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_020F96CE5_2_020F96CE
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_020F9ECE5_2_020F9ECE
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_020F83FE5_2_020F83FE
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_020F587E5_2_020F587E
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_020F5D2E5_2_020F5D2E
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_020F5D555_2_020F5D55
                      Source: KNEa2w7v3a.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: KNEa2w7v3a.exe, 00000001.00000002.206292457.0000000002A10000.00000002.00000001.sdmpBinary or memory string: originalfilename vs KNEa2w7v3a.exe
                      Source: KNEa2w7v3a.exe, 00000001.00000002.206292457.0000000002A10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs KNEa2w7v3a.exe
                      Source: KNEa2w7v3a.exe, 00000001.00000002.206154268.0000000002920000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs KNEa2w7v3a.exe
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                      Source: KNEa2w7v3a.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: classification engineClassification label: mal96.troj.evad.winEXE@21/11@0/100
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle,1_2_02648CA0
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeCode function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle,4_2_02188CA0
                      Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeCode function: 5_2_02214FD0 Process32NextW,Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,FindCloseChangeNotification,5_2_02214FD0
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeCode function: 1_2_02645390 ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,1_2_02645390
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1396:120:WilError_01
                      Source: KNEa2w7v3a.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: KNEa2w7v3a.exeVirustotal: Detection: 88%
                      Source: KNEa2w7v3a.exeMetadefender: Detection: 48%
                      Source: KNEa2w7v3a.exeReversingLabs: Detection: 96%
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Users\user\Desktop\KNEa2w7v3a.exe 'C:\Users\user\Desktop\KNEa2w7v3a.exe'
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeProcess created: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeProcess created: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeProcess created: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeJump to behavior
                      Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exeProcess created: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exeJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                      Source: C:\Users\user\Desktop\KNEa2w7v3a.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior