Play interactive tour

Edit tour

Analysis Report 2ojdmC51As.exe

Overview

General Information

Sample Name:	2ojdmC51As.exe
Analysis ID:	367934
MD5:	5804d97670dcdfab88ba830682355dad
SHA1:	65c817fb511824fa185f34ecd744b836ed7a19eb
SHA256:	4e885ada930e285a005c5211b8a652dc0eb11a06ccf530561afa88aefe99c9fc
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Emotet

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Connects to several IPs in different countries

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

2ojdmC51As.exe (PID: 5356 cmdline: 'C:\Users\user\Desktop\2ojdmC51As.exe' MD5: 5804D97670DCDFAB88BA830682355DAD)

iasrecst.exe (PID: 2964 cmdline: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe MD5: 5804D97670DCDFAB88BA830682355DAD)

svchost.exe (PID: 396 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5292 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6048 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5116 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 5456 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 5548 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 4660 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6492 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7096 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6208 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6596 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "216.139.123.119:80", "184.180.181.202:80", "123.142.37.166:80", "124.41.215.226:80", "119.59.116.21:8080", "41.185.28.84:8080", "5.39.91.110:7080", "220.245.198.194:80", "139.162.108.71:8080", "75.143.247.51:80", "74.214.230.200:80", "185.94.252.104:443", "208.180.207.205:80", "49.3.224.99:8080", "93.147.212.206:80", "182.208.30.18:443", "95.213.236.64:8080", "37.187.72.193:8080", "59.125.219.109:443", "37.179.204.33:80", "95.9.5.93:80", "168.235.67.138:7080", "118.83.154.64:443", "121.7.31.214:80", "74.208.45.104:8080", "87.106.136.232:8080", "138.68.87.218:443", "62.75.141.82:80", "66.76.12.94:8080", "202.134.4.216:8080", "47.36.140.164:80", "110.142.236.207:80", "134.209.144.106:443", "89.216.122.92:80", "75.188.96.231:80", "24.179.13.119:80", "218.147.193.146:80", "174.106.122.139:80", "71.15.245.148:8080", "104.131.11.150:443", "202.141.243.254:443", "94.230.70.6:80", "24.178.90.49:80", "97.82.79.83:80", "68.252.26.78:80", "173.63.222.65:80", "162.241.242.173:8080", "79.137.83.50:443", "80.241.255.202:8080", "120.150.60.189:80", "96.245.227.43:80", "50.91.114.38:80", "83.110.223.58:443", "24.230.141.169:80", "37.139.21.175:8080", "202.134.4.211:8080", "190.240.194.77:443", "176.111.60.55:8080", "123.176.25.234:80", "209.141.54.221:7080", "115.94.207.99:443", "50.35.17.13:80", "109.74.5.95:8080", "120.150.218.241:443", "121.124.124.40:7080", "217.20.166.178:7080", "108.46.29.236:80", "2.58.16.89:8080", "85.105.111.166:80", "137.59.187.107:8080", "139.162.60.124:8080", "76.175.162.101:80", "139.99.158.11:443", "104.131.123.136:443", "91.211.88.52:7080", "91.146.156.228:80", "172.104.97.173:8080", "89.121.205.18:80", "186.74.215.34:80", "61.33.119.226:443", "162.241.140.129:8080", "130.0.132.242:80", "190.108.228.27:443", "201.241.127.190:80", "87.106.139.101:8080", "78.188.106.53:443", "188.219.31.12:80", "76.171.227.238:80", "72.143.73.234:443", "62.171.142.179:8080", "139.59.60.244:8080", "24.137.76.62:80", "172.86.188.251:8080", "172.91.208.86:80", "94.23.237.171:443"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.494960467.0000000000710000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.231317711.0000000002194000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.496587282.0000000002284000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.230964663.0000000000600000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.2ojdmC51As.exe.21e0000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.iasrecst.exe.71052e.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.iasrecst.exe.71279e.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.2ojdmC51As.exe.60279e.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.iasrecst.exe.71052e.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.2ojdmC51As.exe.60052e.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.iasrecst.exe.71279e.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.iasrecst.exe.22c0000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.2ojdmC51As.exe.60279e.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.2ojdmC51As.exe.60052e.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.2ojdmC51As.exe.21e0000.3.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "216.139.123.119:80", "184.180.181.202:80", "123.142.37.166:80", "124.41.215.226:80", "119.59.116.21:8080", "41.185.28.84:8080", "5.39.91.110:7080", "220.245.198.194:80", "139.162.108.71:8080", "75.143.247.51:80", "74.214.230.200:80", "185.94.252.104:443", "208.180.207.205:80", "49.3.224.99:8080", "93.147.212.206:80", "182.208.30.18:443", "95.213.236.64:8080", "37.187.72.193:8080", "59.125.219.109:443", "37.179.204.33:80", "95.9.5.93:80", "168.235.67.138:7080", "118.83.154.64:443", "121.7.31.214:80", "74.208.45.104:8080", "87.106.136.232:8080", "138.68.87.218:443", "62.75.141.82:80", "66.76.12.94:8080", "202.134.4.216:8080", "47.36.140.164:80", "110.142.236.207:80", "134.209.144.106:443", "89.216.122.92:80", "75.188.96.231:80", "24.179.13.119:80", "218.147.193.146:80", "174.106.122.139:80", "71.15.245.148:8080", "104.131.11.150:443", "202.141.243.254:443", "94.230.70.6:80", "24.178.90.49:80", "97.82.79.83:80", "68.252.26.78:80", "173.63.222.65:80", "162.241.242.173:8080", "79.137.83.50:443", "80.241.255.202:8080", "120.150.60.189:80", "96.245.227.43:80", "50.91.114.38:80", "83.110.223.58:443", "24.230.141.169:80", "37.139.21.175:8080", "202.134.4.211:8080", "190.240.194.77:443", "176.111.60.55:8080", "123.176.25.234:80", "209.141.54.221:7080", "115.94.207.99:443", "50.35.17.13:80", "109.74.5.95:8080", "120.150.218.241:443", "121.124.124.40:7080", "217.20.166.178:7080", "108.46.29.236:80", "2.58.16.89:8080", "85.105.111.166:80", "137.59.187.107:8080", "139.162.60.124:8080", "76.175.162.101:80", "139.99.158.11:443", "104.131.123.136:443", "91.211.88.52:7080", "91.146.156.228:80", "172.104.97.173:8080", "89.121.205.18:80", "186.74.215.34:80", "61.33.119.226:443", "162.241.140.129:8080", "130.0.132.242:80", "190.108.228.27:443", "201.241.127.190:80", "87.106.139.101:8080", "78.188.106.53:443", "188.219.31.12:80", "76.171.227.238:80", "72.143.73.234:443", "62.171.142.179:8080", "139.59.60.244:8080", "24.137.76.62:80", "172.86.188.251:8080", "172.91.208.86:80", "94.23.237.171:443"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 2ojdmC51As.exe	Virustotal: Detection: 76%	Perma Link
Source: 2ojdmC51As.exe	Metadefender: Detection: 67%	Perma Link
Source: 2ojdmC51As.exe	ReversingLabs: Detection: 88%

Machine Learning detection for sample

Show sources

Source: 2ojdmC51As.exe

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C2290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C1FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptDuplicateHash,

Source: 2ojdmC51As.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004182CC FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_004182CC FindFirstFileA,FindClose,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 200.116.145.225:443
Source: Malware configuration extractor	IPs: 96.126.101.6:8080
Source: Malware configuration extractor	IPs: 5.196.108.185:8080
Source: Malware configuration extractor	IPs: 167.114.153.111:8080
Source: Malware configuration extractor	IPs: 194.187.133.160:443
Source: Malware configuration extractor	IPs: 98.174.164.72:80
Source: Malware configuration extractor	IPs: 103.86.49.11:8080
Source: Malware configuration extractor	IPs: 78.24.219.147:8080
Source: Malware configuration extractor	IPs: 50.245.107.73:443
Source: Malware configuration extractor	IPs: 110.145.77.103:80
Source: Malware configuration extractor	IPs: 94.200.114.161:80
Source: Malware configuration extractor	IPs: 61.19.246.238:443
Source: Malware configuration extractor	IPs: 194.4.58.192:7080
Source: Malware configuration extractor	IPs: 209.54.13.14:80
Source: Malware configuration extractor	IPs: 102.182.93.220:80
Source: Malware configuration extractor	IPs: 186.70.56.94:443
Source: Malware configuration extractor	IPs: 203.153.216.189:7080
Source: Malware configuration extractor	IPs: 49.50.209.131:80
Source: Malware configuration extractor	IPs: 176.113.52.6:443
Source: Malware configuration extractor	IPs: 62.30.7.67:443
Source: Malware configuration extractor	IPs: 61.76.222.210:80
Source: Malware configuration extractor	IPs: 113.61.66.94:80
Source: Malware configuration extractor	IPs: 157.245.99.39:8080
Source: Malware configuration extractor	IPs: 216.139.123.119:80
Source: Malware configuration extractor	IPs: 184.180.181.202:80
Source: Malware configuration extractor	IPs: 123.142.37.166:80
Source: Malware configuration extractor	IPs: 124.41.215.226:80
Source: Malware configuration extractor	IPs: 119.59.116.21:8080
Source: Malware configuration extractor	IPs: 41.185.28.84:8080
Source: Malware configuration extractor	IPs: 5.39.91.110:7080
Source: Malware configuration extractor	IPs: 220.245.198.194:80
Source: Malware configuration extractor	IPs: 139.162.108.71:8080
Source: Malware configuration extractor	IPs: 75.143.247.51:80
Source: Malware configuration extractor	IPs: 74.214.230.200:80
Source: Malware configuration extractor	IPs: 185.94.252.104:443
Source: Malware configuration extractor	IPs: 208.180.207.205:80
Source: Malware configuration extractor	IPs: 49.3.224.99:8080
Source: Malware configuration extractor	IPs: 93.147.212.206:80
Source: Malware configuration extractor	IPs: 182.208.30.18:443
Source: Malware configuration extractor	IPs: 95.213.236.64:8080
Source: Malware configuration extractor	IPs: 37.187.72.193:8080
Source: Malware configuration extractor	IPs: 59.125.219.109:443
Source: Malware configuration extractor	IPs: 37.179.204.33:80
Source: Malware configuration extractor	IPs: 95.9.5.93:80
Source: Malware configuration extractor	IPs: 168.235.67.138:7080
Source: Malware configuration extractor	IPs: 118.83.154.64:443
Source: Malware configuration extractor	IPs: 121.7.31.214:80
Source: Malware configuration extractor	IPs: 74.208.45.104:8080
Source: Malware configuration extractor	IPs: 87.106.136.232:8080
Source: Malware configuration extractor	IPs: 138.68.87.218:443
Source: Malware configuration extractor	IPs: 62.75.141.82:80
Source: Malware configuration extractor	IPs: 66.76.12.94:8080
Source: Malware configuration extractor	IPs: 202.134.4.216:8080
Source: Malware configuration extractor	IPs: 47.36.140.164:80
Source: Malware configuration extractor	IPs: 110.142.236.207:80
Source: Malware configuration extractor	IPs: 134.209.144.106:443
Source: Malware configuration extractor	IPs: 89.216.122.92:80
Source: Malware configuration extractor	IPs: 75.188.96.231:80
Source: Malware configuration extractor	IPs: 24.179.13.119:80
Source: Malware configuration extractor	IPs: 218.147.193.146:80
Source: Malware configuration extractor	IPs: 174.106.122.139:80
Source: Malware configuration extractor	IPs: 71.15.245.148:8080
Source: Malware configuration extractor	IPs: 104.131.11.150:443
Source: Malware configuration extractor	IPs: 202.141.243.254:443
Source: Malware configuration extractor	IPs: 94.230.70.6:80
Source: Malware configuration extractor	IPs: 24.178.90.49:80
Source: Malware configuration extractor	IPs: 97.82.79.83:80
Source: Malware configuration extractor	IPs: 68.252.26.78:80
Source: Malware configuration extractor	IPs: 173.63.222.65:80
Source: Malware configuration extractor	IPs: 162.241.242.173:8080
Source: Malware configuration extractor	IPs: 79.137.83.50:443
Source: Malware configuration extractor	IPs: 80.241.255.202:8080
Source: Malware configuration extractor	IPs: 120.150.60.189:80
Source: Malware configuration extractor	IPs: 96.245.227.43:80
Source: Malware configuration extractor	IPs: 50.91.114.38:80
Source: Malware configuration extractor	IPs: 83.110.223.58:443
Source: Malware configuration extractor	IPs: 24.230.141.169:80
Source: Malware configuration extractor	IPs: 37.139.21.175:8080
Source: Malware configuration extractor	IPs: 202.134.4.211:8080
Source: Malware configuration extractor	IPs: 190.240.194.77:443
Source: Malware configuration extractor	IPs: 176.111.60.55:8080
Source: Malware configuration extractor	IPs: 123.176.25.234:80
Source: Malware configuration extractor	IPs: 209.141.54.221:7080
Source: Malware configuration extractor	IPs: 115.94.207.99:443
Source: Malware configuration extractor	IPs: 50.35.17.13:80
Source: Malware configuration extractor	IPs: 109.74.5.95:8080
Source: Malware configuration extractor	IPs: 120.150.218.241:443
Source: Malware configuration extractor	IPs: 121.124.124.40:7080
Source: Malware configuration extractor	IPs: 217.20.166.178:7080
Source: Malware configuration extractor	IPs: 108.46.29.236:80
Source: Malware configuration extractor	IPs: 2.58.16.89:8080
Source: Malware configuration extractor	IPs: 85.105.111.166:80
Source: Malware configuration extractor	IPs: 137.59.187.107:8080
Source: Malware configuration extractor	IPs: 139.162.60.124:8080
Source: Malware configuration extractor	IPs: 76.175.162.101:80
Source: Malware configuration extractor	IPs: 139.99.158.11:443
Source: Malware configuration extractor	IPs: 104.131.123.136:443
Source: Malware configuration extractor	IPs: 91.211.88.52:7080
Source: Malware configuration extractor	IPs: 91.146.156.228:80
Source: Malware configuration extractor	IPs: 172.104.97.173:8080
Source: Malware configuration extractor	IPs: 89.121.205.18:80
Source: Malware configuration extractor	IPs: 186.74.215.34:80
Source: Malware configuration extractor	IPs: 61.33.119.226:443
Source: Malware configuration extractor	IPs: 162.241.140.129:8080
Source: Malware configuration extractor	IPs: 130.0.132.242:80
Source: Malware configuration extractor	IPs: 190.108.228.27:443
Source: Malware configuration extractor	IPs: 201.241.127.190:80
Source: Malware configuration extractor	IPs: 87.106.139.101:8080
Source: Malware configuration extractor	IPs: 78.188.106.53:443
Source: Malware configuration extractor	IPs: 188.219.31.12:80
Source: Malware configuration extractor	IPs: 76.171.227.238:80
Source: Malware configuration extractor	IPs: 72.143.73.234:443
Source: Malware configuration extractor	IPs: 62.171.142.179:8080
Source: Malware configuration extractor	IPs: 139.59.60.244:8080
Source: Malware configuration extractor	IPs: 24.137.76.62:80
Source: Malware configuration extractor	IPs: 172.86.188.251:8080
Source: Malware configuration extractor	IPs: 172.91.208.86:80
Source: Malware configuration extractor	IPs: 94.23.237.171:443

Source: unknown

Network traffic detected: IP country count 34

Source: global traffic	TCP traffic: 192.168.2.5:49723 -> 96.126.101.6:8080
Source: global traffic	TCP traffic: 192.168.2.5:49724 -> 5.196.108.185:8080
Source: global traffic	TCP traffic: 192.168.2.5:49728 -> 167.114.153.111:8080
Source: global traffic	TCP traffic: 192.168.2.5:49747 -> 103.86.49.11:8080
Source: global traffic	TCP traffic: 192.168.2.5:49748 -> 78.24.219.147:8080

Source: Joe Sandbox View	ASN Name: HOSTER-KZ HOSTER-KZ
Source: Joe Sandbox View	ASN Name: AfrihostZA AfrihostZA

Source: global traffic

HTTP traffic detected: POST /wGf14n07/vS3mZ/aWoW/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 5.196.108.185/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------jFClBgacZrwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 5.196.108.185:8080Content-Length: 4596Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown	TCP traffic detected without corresponding DNS query: 96.126.101.6
Source: unknown	TCP traffic detected without corresponding DNS query: 96.126.101.6
Source: unknown	TCP traffic detected without corresponding DNS query: 96.126.101.6
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.108.185
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.108.185
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.108.185
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.108.185
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.108.185
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 194.187.133.160
Source: unknown	TCP traffic detected without corresponding DNS query: 194.187.133.160
Source: unknown	TCP traffic detected without corresponding DNS query: 194.187.133.160
Source: unknown	TCP traffic detected without corresponding DNS query: 98.174.164.72
Source: unknown	TCP traffic detected without corresponding DNS query: 98.174.164.72
Source: unknown	TCP traffic detected without corresponding DNS query: 98.174.164.72
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.108.185
Source: unknown	TCP traffic detected without corresponding DNS query: 103.86.49.11
Source: unknown	TCP traffic detected without corresponding DNS query: 103.86.49.11
Source: unknown	TCP traffic detected without corresponding DNS query: 103.86.49.11
Source: unknown	TCP traffic detected without corresponding DNS query: 78.24.219.147
Source: unknown	TCP traffic detected without corresponding DNS query: 78.24.219.147
Source: unknown	TCP traffic detected without corresponding DNS query: 78.24.219.147
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.108.185

Source: svchost.exe, 00000016.00000003.400623292.000001DCAE722000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000016.00000003.400623292.000001DCAE722000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000016.00000003.400383367.000001DCAE767000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-05T08:18:42.8639720Z\|\|.\|\|dd237c2b-2874-48fe-90b2-f0059c8f0c6d\|\|1152921505693245717\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000016.00000003.400383367.000001DCAE767000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-05T08:18:42.8639720Z\|\|.\|\|dd237c2b-2874-48fe-90b2-f0059c8f0c6d\|\|1152921505693245717\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000016.00000003.400623292.000001DCAE722000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
Source: svchost.exe, 00000016.00000003.400623292.000001DCAE722000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
Source: svchost.exe, 00000016.00000003.393782565.000001DCAE782000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-02T18:22:42.6875348Z\|\|.\|\|d304cd4c-475a-4125-aa87-5c57cb1f4562\|\|1152921505693241551\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-02T18:21:36.4242164Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000016.00000003.393796977.000001DCAE763000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-02T18:22:42.6875348Z\|\|.\|\|d304cd4c-475a-4125-aa87-5c57cb1f4562\|\|1152921505693241551\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-02T18:21:36.4242164Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000016.00000003.394281664.000001DCAE725000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":137909932,"PackageFormat":"Appx","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","MainPackageFamilyNameForDlc":null,"PackageFullName":"FACEBOOK.317180B0BB486_910.5.119.0_x64__8xx8rvfyw5nnt","PackageId":"7a013703-edb8-6940-193c-127d899a1d9b-X64","PackageRank":30002,"PlatformDependencies":[{"MaxTested":2814750970478592,"MinVersion":2814750438195200,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"FACEBOOK.317180B0BB486_910.5.119.0_x64__8xx8rvfyw5nnt\",\"content.productId\":\"3219d30d-4a23-4f58-a91c-c44b04e6a0c7\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750970478592,\"platform.minVersion\":2814750438195200,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Social\",\"optOut.backu

Source: unknown

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 12 Mar 2021 15:27:27 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/RWKwnR00xL9KFn/8u41u6KEQrM/jtlSmN2GQ/
Source: iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/RWKwnR00xL9KFn/8u41u6KEQrM/jtlSmN2GQ/l
Source: iasrecst.exe, 00000001.00000003.405645710.0000000002981000.00000004.00000001.sdmp, iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmp	String found in binary or memory: http://194.187.133.160:443/3El8N8aRynButJ/
Source: iasrecst.exe, 00000001.00000002.499375661.0000000002970000.00000004.00000001.sdmp	String found in binary or memory: http://5.196.108.185:8080/wGf14n07/vS3mZ/aWoW/q
Source: iasrecst.exe, 00000001.00000002.499375661.0000000002970000.00000004.00000001.sdmp	String found in binary or memory: http://78.24.219.147:8080/sYVMb8sSsBN1RjvCK/iGzstLqezClQ/N1nFCPZm6mEYgboT/pmtRsMHWSucuO/QEkDfx4jkf1H
Source: iasrecst.exe, 00000001.00000003.327469162.0000000002981000.00000004.00000001.sdmp	String found in binary or memory: http://96.126.101.6:8080/j8688GhgZ4mpI2/
Source: iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmp	String found in binary or memory: http://98.174.164.72/2CRvCvWLe/Uxu7RQJUiJql1/
Source: iasrecst.exe, 00000001.00000002.499375661.0000000002970000.00000004.00000001.sdmp	String found in binary or memory: http://98.174.164.72/2CRvCvWLe/Uxu7RQJUiJql1/%
Source: svchost.exe, 00000016.00000002.411881082.000001DCADE70000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000006.00000002.498370452.000002074589B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.m
Source: svchost.exe, 00000016.00000002.411881082.000001DCADE70000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000006.00000002.494908534.00000207402BA000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000016.00000002.411881082.000001DCADE70000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000016.00000002.411881082.000001DCADE70000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000006.00000002.494908534.00000207402BA000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000006.00000002.498171073.0000020745800000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000006.00000002.498650900.0000020745B10000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000009.00000002.305642289.0000015674A13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.305136565.0000015674A48000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000002.305686531.0000015674A42000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000002.305686531.0000015674A42000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.305206943.0000015674A40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.305136565.0000015674A48000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.283475151.0000015674A31000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.305642289.0000015674A13000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.283475151.0000015674A31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.305199569.0000015674A45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.283475151.0000015674A31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000002.305673394.0000015674A3A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000003.305136565.0000015674A48000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00422473 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00422488 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0041580E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004238DC GetKeyState,GetKeyState,GetKeyState,
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0041E95F ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00412ABD GetKeyState,GetKeyState,GetKeyState,GetKeyState,
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00410E05 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00422473 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00422488 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_0041580E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_004238DC GetKeyState,GetKeyState,GetKeyState,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_0041E95F ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00412ABD GetKeyState,GetKeyState,GetKeyState,GetKeyState,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00410E05 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.494960467.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.231317711.0000000002194000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.496587282.0000000002284000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.230964663.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.2ojdmC51As.exe.21e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.71052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.71279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2ojdmC51As.exe.60279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.71052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2ojdmC51As.exe.60052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.71279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.22c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2ojdmC51As.exe.60279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2ojdmC51As.exe.60052e.2.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe

Code function: 1_2_022C2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,

Source: C:\Users\user\Desktop\2ojdmC51As.exe

File created: C:\Windows\SysWOW64\WsmSvc\

Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe

File deleted: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00408293
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004145CA
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E8240
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E7740
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E6530
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E3BA0
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E3F20
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E1C70
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E3D10
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0060380E
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_006080CE
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_006058AE
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00408293
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_004145CA
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C8240
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C7740
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C6530
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C3BA0
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C3F20
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C1C70
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C3D10

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: String function: 00406520 appears 168 times
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: String function: 00405626 appears 44 times
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: String function: 00406520 appears 174 times
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: String function: 00405626 appears 49 times

Source: 2ojdmC51As.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2ojdmC51As.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 2ojdmC51As.exe, 00000000.00000000.228277630.000000000043C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEffectDemo.EXEN vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.232241587.0000000002B10000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.232241587.0000000002B10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.232088249.0000000002A10000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe	Binary or memory string: OriginalFilenameEffectDemo.EXEN vs 2ojdmC51As.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll

Source: 2ojdmC51As.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal88.troj.evad.winEXE@16/5@0/100

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_00418C88 __EH_prolog,GetDiskFreeSpaceA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,

Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe

Code function: 1_2_022C4CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_00412121 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_021E5070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:4672:120:WilError_01

Source: 2ojdmC51As.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2ojdmC51As.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 2ojdmC51As.exe	Virustotal: Detection: 76%
Source: 2ojdmC51As.exe	Metadefender: Detection: 67%
Source: 2ojdmC51As.exe	ReversingLabs: Detection: 88%

Source: unknown	Process created: C:\Users\user\Desktop\2ojdmC51As.exe 'C:\Users\user\Desktop\2ojdmC51As.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe C:\Windows\SysWOW64\WsmSvc\iasrecst.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Process created: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe C:\Windows\SysWOW64\WsmSvc\iasrecst.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,

Source: 2ojdmC51As.exe

Static PE information: real checksum: 0x69574 should be: 0x6a2b7

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00406520 push eax; ret
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00406830 push eax; ret
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5E10 push ecx; mov dword ptr [esp], 0000F5B3h
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5EA0 push ecx; mov dword ptr [esp], 0000A3FDh
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5EF0 push ecx; mov dword ptr [esp], 0000669Ch
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5F20 push ecx; mov dword ptr [esp], 0000E36Ch
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5CD0 push ecx; mov dword ptr [esp], 00001CE1h
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5D00 push ecx; mov dword ptr [esp], 00001F9Eh
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5D20 push ecx; mov dword ptr [esp], 0000C5A1h
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5D50 push ecx; mov dword ptr [esp], 00006847h
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5D90 push ecx; mov dword ptr [esp], 0000B2E0h
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5DC0 push ecx; mov dword ptr [esp], 000089FAh
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5DF0 push ecx; mov dword ptr [esp], 0000AAF5h
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0060786E push ecx; mov dword ptr [esp], 00001CE1h
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_006078EE push ecx; mov dword ptr [esp], 00006847h
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_006078BE push ecx; mov dword ptr [esp], 0000C5A1h
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0060789E push ecx; mov dword ptr [esp], 00001F9Eh
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0060795E push ecx; mov dword ptr [esp], 000089FAh
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0060792E push ecx; mov dword ptr [esp], 0000B2E0h
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_006079AE push ecx; mov dword ptr [esp], 0000F5B3h
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0060798E push ecx; mov dword ptr [esp], 0000AAF5h
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0061EA26 push ebp; iretd
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00607A3E push ecx; mov dword ptr [esp], 0000A3FDh
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00406520 push eax; ret
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00406830 push eax; ret
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C5E10 push ecx; mov dword ptr [esp], 0000F5B3h
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C5EA0 push ecx; mov dword ptr [esp], 0000A3FDh
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C5EF0 push ecx; mov dword ptr [esp], 0000669Ch
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C5F20 push ecx; mov dword ptr [esp], 0000E36Ch
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C5CD0 push ecx; mov dword ptr [esp], 00001CE1h
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C5D20 push ecx; mov dword ptr [esp], 0000C5A1h

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Executable created and started: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe

Source: C:\Users\user\Desktop\2ojdmC51As.exe

PE file moved: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\2ojdmC51As.exe

File opened: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0042252B IsWindowVisible,IsIconic,
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004198B0 GetParent,GetParent,GetParent,IsIconic,
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00404F00 IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_0042252B IsWindowVisible,IsIconic,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_004198B0 GetParent,GetParent,GetParent,IsIconic,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00404F00 IsIconic,GetWindowPlacement,GetWindowRect,

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Show sources

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Source: C:\Users\user\Desktop\2ojdmC51As.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,

Source: C:\Users\user\Desktop\2ojdmC51As.exe	API coverage: 3.4 %
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	API coverage: 4.5 %

Source: C:\Windows\System32\svchost.exe TID: 4652	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 896	Thread sleep time: -120000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\2ojdmC51As.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004182CC FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_004182CC FindFirstFileA,FindClose,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,

Source: svchost.exe, 00000006.00000002.498296170.0000020745862000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000007.00000002.498004562.0000021F63F40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.305034649.000002922C540000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.356381490.0000027463460000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.379325879.00000228E6D40000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.412752585.000001DCAEE00000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: iasrecst.exe, 00000001.00000003.327469162.0000000002981000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.494606751.0000020740229000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.411985154.000001DCADEEC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.498004562.0000021F63F40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.305034649.000002922C540000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.356381490.0000027463460000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.379325879.00000228E6D40000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.412752585.000001DCAEE00000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000007.00000002.498004562.0000021F63F40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.305034649.000002922C540000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.356381490.0000027463460000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.379325879.00000228E6D40000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.412752585.000001DCAEE00000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: iasrecst.exe, 00000001.00000002.499375661.0000000002970000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWP9
Source: svchost.exe, 00000016.00000002.411896397.000001DCADE85000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`
Source: svchost.exe, 00000007.00000002.494919022.0000021F63268000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.494467171.0000020BD3429000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000007.00000002.498004562.0000021F63F40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.305034649.000002922C540000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.356381490.0000027463460000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.379325879.00000228E6D40000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.412752585.000001DCAEE00000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E4E20 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E3F20 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0060095E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_006069BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C4E20 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C3F20 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_02281030 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_021E42F0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00409C36 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00409C48 SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00409C36 SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00409C48 SetUnhandledExceptionFilter,

Source: iasrecst.exe, 00000001.00000002.496377265.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: iasrecst.exe, 00000001.00000002.496377265.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: iasrecst.exe, 00000001.00000002.496377265.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: iasrecst.exe, 00000001.00000002.496377265.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: iasrecst.exe, 00000001.00000002.496377265.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_00406204 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_00406204 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_00425FF1 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 0000000B.00000002.494381263.000001FB9AA40000.00000004.00000001.sdmp	Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.494510769.000001FB9AB02000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.494960467.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.231317711.0000000002194000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.496587282.0000000002284000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.230964663.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.2ojdmC51As.exe.21e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.71052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.71279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2ojdmC51As.exe.60279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.71052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2ojdmC51As.exe.60052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.71279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.22c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2ojdmC51As.exe.60279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2ojdmC51As.exe.60052e.2.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	Input Capture1	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API11	Windows Service2	Windows Service2	Deobfuscate/Decode Files or Information1	LSASS Memory	System Service Discovery1	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution1	Logon Script (Windows)	Process Injection2	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	DLL Side-Loading1	NTDS	System Information Discovery26	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	File Deletion1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol113	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading12	Cached Domain Credentials	Security Software Discovery51	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion3	DCSync	Virtualization/Sandbox Evasion3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection2	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2ojdmC51As.exe	76%	Virustotal		Browse
2ojdmC51As.exe	70%	Metadefender		Browse
2ojdmC51As.exe	89%	ReversingLabs	Win32.Trojan.Emotet
2ojdmC51As.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.2ojdmC51As.exe.21e0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.iasrecst.exe.71052e.2.unpack	100%	Avira	HEUR/AGEN.1110377	Download File
1.2.iasrecst.exe.71279e.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.2ojdmC51As.exe.60052e.2.unpack	100%	Avira	HEUR/AGEN.1110377	Download File
1.2.iasrecst.exe.22c0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.2ojdmC51As.exe.60279e.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://5.196.108.185:8080/wGf14n07/vS3mZ/aWoW/	0%	Avira URL Cloud	safe
http://5.196.108.185:8080/wGf14n07/vS3mZ/aWoW/q	0%	Avira URL Cloud	safe
http://167.114.153.111:8080/RWKwnR00xL9KFn/8u41u6KEQrM/jtlSmN2GQ/l	0%	Avira URL Cloud	safe
http://78.24.219.147:8080/sYVMb8sSsBN1RjvCK/iGzstLqezClQ/N1nFCPZm6mEYgboT/pmtRsMHWSucuO/QEkDfx4jkf1H	0%	Avira URL Cloud	safe
http://96.126.101.6:8080/j8688GhgZ4mpI2/	0%	Avira URL Cloud	safe
http://98.174.164.72/2CRvCvWLe/Uxu7RQJUiJql1/%	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
http://167.114.153.111:8080/RWKwnR00xL9KFn/8u41u6KEQrM/jtlSmN2GQ/	0%	Avira URL Cloud	safe
http://194.187.133.160:443/3El8N8aRynButJ/	0%	Avira URL Cloud	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
http://98.174.164.72/2CRvCvWLe/Uxu7RQJUiJql1/	0%	Avira URL Cloud	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://5.196.108.185:8080/wGf14n07/vS3mZ/aWoW/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/contact/	svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 00000009.00000003.305136565.0000015674A48000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 00000009.00000002.305686531.0000015674A42000.00000004.00000001.sdmp	false		high
https://www.hulu.com/ca-privacy-rights	svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000009.00000003.283475151.0000015674A31000.00000004.00000001.sdmp	false		high
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	false		high
http://5.196.108.185:8080/wGf14n07/vS3mZ/aWoW/q	iasrecst.exe, 00000001.00000002.499375661.0000000002970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000009.00000002.305686531.0000015674A42000.00000004.00000001.sdmp	false		high
http://www.hulu.com/terms	svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmp	false		high
http://167.114.153.111:8080/RWKwnR00xL9KFn/8u41u6KEQrM/jtlSmN2GQ/l	iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
https://en.help.roblox.com/hc/en-us	svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 00000009.00000002.305642289.0000015674A13000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	false		high
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
https://www.hulu.com/do-not-sell-my-info	svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000009.00000003.305199569.0000015674A45000.00000004.00000001.sdmp	false		high
http://78.24.219.147:8080/sYVMb8sSsBN1RjvCK/iGzstLqezClQ/N1nFCPZm6mEYgboT/pmtRsMHWSucuO/QEkDfx4jkf1H	iasrecst.exe, 00000001.00000002.499375661.0000000002970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	false		high
https://www.roblox.com/develop	svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	false		high
https://instagram.com/hiddencity_	svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	false		high
http://96.126.101.6:8080/j8688GhgZ4mpI2/	iasrecst.exe, 00000001.00000003.327469162.0000000002981000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000009.00000003.283475151.0000015674A31000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.305206943.0000015674A40000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/parents/	svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000009.00000002.305642289.0000015674A13000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	false		high
http://98.174.164.72/2CRvCvWLe/Uxu7RQJUiJql1/%	iasrecst.exe, 00000001.00000002.499375661.0000000002970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://%s.xboxlive.com	svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000009.00000003.305136565.0000015674A48000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000009.00000003.283475151.0000015674A31000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
http://www.hulu.com/privacy	svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	false		high
http://crl.m	svchost.exe, 00000006.00000002.498370452.000002074589B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	svchost.exe, 00000006.00000002.498650900.0000020745B10000.00000002.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	false		high
http://167.114.153.111:8080/RWKwnR00xL9KFn/8u41u6KEQrM/jtlSmN2GQ/	iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://194.187.133.160:443/3El8N8aRynButJ/	iasrecst.exe, 00000001.00000003.405645710.0000000002981000.00000004.00000001.sdmp, iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.t	svchost.exe, 00000009.00000003.305136565.0000015674A48000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000009.00000002.305673394.0000015674A3A000.00000004.00000001.sdmp	false		high
https://www.roblox.com/info/privacy	svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	false		high
http://www.g5e.com/termsofservice	svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	false		high
http://98.174.164.72/2CRvCvWLe/Uxu7RQJUiJql1/	iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com	svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
194.4.58.192	unknown	Kazakhstan	202958	HOSTER-KZ	true
102.182.93.220	unknown	South Africa	37611	AfrihostZA	true
94.200.114.161	unknown	United Arab Emirates	15802	DU-AS1AE	true
95.9.5.93	unknown	Turkey	9121	TTNETTR	true
115.94.207.99	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
89.121.205.18	unknown	Romania	9050	RTDBucharestRomaniaRO	true
200.116.145.225	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
216.139.123.119	unknown	United States	395582	GRM-NETWORKUS	true
138.68.87.218	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
220.245.198.194	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
104.131.11.150	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
176.111.60.55	unknown	Ukraine	24703	UN-UKRAINE-ASKievUkraineUA	true
24.178.90.49	unknown	United States	20115	CHARTER-20115US	true
94.23.237.171	unknown	France	16276	OVHFR	true
41.185.28.84	unknown	South Africa	36943	GridhostZA	true
139.162.108.71	unknown	Netherlands	63949	LINODE-APLinodeLLCUS	true
186.74.215.34	unknown	Panama	11556	CableWirelessPanamaPA	true
202.134.4.216	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
120.150.218.241	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
202.134.4.211	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
87.106.139.101	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
62.30.7.67	unknown	United Kingdom	5089	NTLGB	true
123.142.37.166	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
75.143.247.51	unknown	United States	20115	CHARTER-20115US	true
49.3.224.99	unknown	Australia	4804	MPX-ASMicroplexPTYLTDAU	true
87.106.136.232	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
124.41.215.226	unknown	Nepal	17501	WLINK-NEPAL-AS-APWorldLinkCommunicationsPvtLtdNP	true
62.75.141.82	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
162.241.140.129	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
119.59.116.21	unknown	Thailand	56067	METRABYTE-TH453LadplacoutJorakhaebuaTH	true
113.61.66.94	unknown	Australia	45510	TELCOINABOX-AULevel109HunterStreetAU	true
96.245.227.43	unknown	United States	701	UUNETUS	true
172.91.208.86	unknown	United States	20001	TWC-20001-PACWESTUS	true
37.139.21.175	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
194.187.133.160	unknown	Bulgaria	13124	IBGCBG	true
121.7.31.214	unknown	Singapore	9506	SINGTEL-FIBRESingtelFibreBroadbandSG	true
61.76.222.210	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
95.213.236.64	unknown	Russian Federation	49505	SELECTELRU	true
5.196.108.185	unknown	France	16276	OVHFR	true
76.171.227.238	unknown	United States	20001	TWC-20001-PACWESTUS	true
74.214.230.200	unknown	United States	36728	EMERYTELCOMUS	true
110.145.77.103	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
96.126.101.6	unknown	United States	63949	LINODE-APLinodeLLCUS	true
120.150.60.189	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
93.147.212.206	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
98.174.164.72	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
91.211.88.52	unknown	Ukraine	206638	HOSTFORYUA	true
172.86.188.251	unknown	Canada	32489	AMANAHA-NEWCA	true
50.35.17.13	unknown	United States	27017	ZIPLY-FIBER-LEGACY-ASNUS	true
157.245.99.39	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
75.188.96.231	unknown	United States	10796	TWC-10796-MIDWESTUS	true
167.114.153.111	unknown	Canada	16276	OVHFR	true
37.179.204.33	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
203.153.216.189	unknown	Indonesia	45291	SURF-IDPTSurfindoNetworkID	true
59.125.219.109	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	true
2.58.16.89	unknown	Latvia	64421	SERTEX-ASLV	true
62.171.142.179	unknown	United Kingdom	51167	CONTABODE	true
162.241.242.173	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
123.176.25.234	unknown	Maldives	7642	DHIRAAGU-MV-APDHIVEHIRAAJJEYGEGULHUNPLCMV	true
50.91.114.38	unknown	United States	33363	BHN-33363US	true
61.33.119.226	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
78.24.219.147	unknown	Russian Federation	29182	THEFIRST-ASRU	true
24.179.13.119	unknown	United States	20115	CHARTER-20115US	true
173.63.222.65	unknown	United States	701	UUNETUS	true
47.36.140.164	unknown	United States	20115	CHARTER-20115US	true
110.142.236.207	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
139.99.158.11	unknown	Canada	16276	OVHFR	true
49.50.209.131	unknown	New Zealand	55853	MEGATEL-AS-APMegatelNZ	true
190.108.228.27	unknown	Argentina	27751	NeunetSAAR	true
202.141.243.254	unknown	Pakistan	9260	MULTINET-AS-APMultinetPakistanPvtLtdPK	true
121.124.124.40	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
139.59.60.244	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
61.19.246.238	unknown	Thailand	9335	CAT-CLOUD-APCATTelecomPublicCompanyLimitedTH	true
168.235.67.138	unknown	United States	3842	RAMNODEUS	true
137.59.187.107	unknown	Hong Kong	18106	VIEWQWEST-SG-APViewqwestPteLtdSG	true
78.188.106.53	unknown	Turkey	9121	TTNETTR	true
71.15.245.148	unknown	United States	20115	CHARTER-20115US	true
188.219.31.12	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
217.20.166.178	unknown	Ukraine	1820	WNETUS	true
24.230.141.169	unknown	United States	11232	MIDCO-NETUS	true
74.208.45.104	unknown	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
134.209.144.106	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
186.70.56.94	unknown	Ecuador	14522	SatnetEC	true
97.82.79.83	unknown	United States	20115	CHARTER-20115US	true
139.162.60.124	unknown	Netherlands	63949	LINODE-APLinodeLLCUS	true
172.104.97.173	unknown	United States	63949	LINODE-APLinodeLLCUS	true
184.180.181.202	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
176.113.52.6	unknown	Russian Federation	8712	INTA-ASRU	true
68.252.26.78	unknown	United States	7018	ATT-INTERNET4US	true
201.241.127.190	unknown	Chile	22047	VTRBANDAANCHASACL	true
91.146.156.228	unknown	Hungary	8462	TARR1HU	true
24.137.76.62	unknown	Canada	11260	EASTLINK-HSICA	true
182.208.30.18	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	true
108.46.29.236	unknown	United States	701	UUNETUS	true
37.187.72.193	unknown	France	16276	OVHFR	true
209.54.13.14	unknown	United States	11492	CABLEONEUS	true
94.230.70.6	unknown	Italy	48500	IRPNET-ASIT	true
85.105.111.166	unknown	Turkey	9121	TTNETTR	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	367934
Start date:	12.03.2021
Start time:	16:25:49
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 14s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	2ojdmC51As.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@16/5@0/100
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 70.4% (good quality ratio 69.6%) Quality average: 85% Quality standard deviation: 22.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 93.184.220.29, 204.79.197.200, 13.107.21.200, 51.104.139.180, 52.147.198.201, 40.88.32.150, 104.43.139.144, 23.211.6.115, 184.30.24.56, 92.122.213.247, 92.122.213.194, 51.103.5.186, 20.82.210.154, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:26:54	API Interceptor	12x Sleep call for process: svchost.exe modified
16:28:08	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
200.116.145.225	2ojdmC51As.exe	Get hash	malicious	Browse	200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/
200.116.145.225	GM8716863026AA.doc	Get hash	malicious	Browse	200.116.145.225:443/eHRi0AsvmChNb0B/Sq2LBDG3K/dHE8SMLlJOlFGym/g6iocDdP0QPHR/
194.4.58.192	IU-8549 Medical report COVID-19.doc	Get hash	malicious	Browse
94.200.114.161	test-emotet.exe	Get hash	malicious	Browse	94.200.114.161/
95.9.5.93	IU-8549 Medical report COVID-19.doc	Get hash	malicious	Browse
115.94.207.99	https://contentsxx.xsrv.jp/academia/parts_service/7xg/	Get hash	malicious	Browse	115.94.207.99:443/OUnj/nu5Sn5pH6W/XCxNN4goRNgqaQshv/BH9p/alZ3dnjhwqocs6Wj/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOSTER-KZ	FileZilla_3.50.0_win64-setup.exe	Get hash	malicious	Browse	185.116.194.200
	0304_87496944093261.doc	Get hash	malicious	Browse	185.100.65.29
	0304_56958375050481.doc	Get hash	malicious	Browse	185.100.65.29
	Static.dll	Get hash	malicious	Browse	185.100.65.29
	msals.dll	Get hash	malicious	Browse	185.100.65.29
	Static.dll	Get hash	malicious	Browse	185.100.65.29
	msals.dll	Get hash	malicious	Browse	185.100.65.29
	0302_21678088538951.doc	Get hash	malicious	Browse	185.100.65.29
	Static.dll	Get hash	malicious	Browse	185.100.65.29
	msals.dll	Get hash	malicious	Browse	185.100.65.29
	0301_4735106192.doc	Get hash	malicious	Browse	185.100.65.29
	Hs52qascx.dll	Get hash	malicious	Browse	185.100.65.29
	0224_13930141056302.doc	Get hash	malicious	Browse	185.100.65.29
	0224_11959736734789.doc	Get hash	malicious	Browse	185.100.65.29
	IU-8549 Medical report COVID-19.doc	Get hash	malicious	Browse	194.4.58.192
	0217_1737094153981.doc	Get hash	malicious	Browse	185.100.65.29
	Hs52qascx.dll	Get hash	malicious	Browse	185.100.65.29
	0211_38602014674781.doc	Get hash	malicious	Browse	185.100.65.29
	0210_1723194332604.doc	Get hash	malicious	Browse	185.100.65.29
	Wh102yYa.dll	Get hash	malicious	Browse	185.100.65.29
AfrihostZA	Our REVISED Order 1032021.exe	Get hash	malicious	Browse	154.0.173.248
	payslip.exe	Get hash	malicious	Browse	169.1.24.244
	MV9tCJw8Xr.exe	Get hash	malicious	Browse	41.76.213.144
	document-1915351743.xls	Get hash	malicious	Browse	197.242.147.47
	tems order.exe	Get hash	malicious	Browse	154.0.167.156
	INV3249732836.xlsm	Get hash	malicious	Browse	154.0.168.63
	New order.exe	Get hash	malicious	Browse	154.0.167.156
	INV6708494406.xlsm	Get hash	malicious	Browse	154.0.168.63
	SA00208.exe	Get hash	malicious	Browse	169.1.24.244
	Statement_as_of_01_FEB-2021.xlsm	Get hash	malicious	Browse	154.0.171.186
	000U0UUPOOO.exe	Get hash	malicious	Browse	154.0.170.214
	#B30COPY.htm	Get hash	malicious	Browse	154.0.175.244
	bin.sh	Get hash	malicious	Browse	169.173.126.123
	New order.exe	Get hash	malicious	Browse	154.0.163.40
	Review bank details.exe	Get hash	malicious	Browse	154.0.167.156
	3-321-68661.xls	Get hash	malicious	Browse	197.242.151.164
	#20030300COPY.htm	Get hash	malicious	Browse	154.0.175.244
	https://motswedingms.co.za/wp-content/axis/oauth/site/service/demp.php?email=kazou.mvl@cm.be	Get hash	malicious	Browse	154.0.173.185
	#20030300COPY.htm	Get hash	malicious	Browse	154.0.175.244
	DOCX9-29827.doc	Get hash	malicious	Browse	154.0.165.27

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5884411679108142
Encrypted:	false
SSDEEP:	6:bxk1GaD0JOCEfMuaaD0JOCEfMKQmD/h/tAl/gz2cE0fMbhEZolrRSQ2hyYIIT:bmGaD0JcaaD0JwQQRtAg/0bjSQJ
MD5:	ECA35DA626DE931D98B5F9D45C881F48
SHA1:	5A79A208FDD3A6BBED08B62F1C3C076F8D033F56
SHA-256:	C7E91A5A8098D21DB29A82C59A7B4D75F46155462817CBD66AA5ED280EBC9209
SHA-512:	A8F08FCCA3CD88DEAC7B7AEDEDD8DE2E971BBE8A201C014AC26B8262671E907149F62BA10BC0477434A641F66624C493F1BC877D679C940701BB6069D496F5FD
Malicious:	false
Preview:	....E..h..(.....7....y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................7....y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x61364723, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09293683689330966
Encrypted:	false
SSDEEP:	6:6XGzwl/+Fh+1RIE11Y8TRX2SpFKEXGzwl/+Fh+1RIE11Y8TRX2SpFK:H0+r6O4blxKR0+r6O4blxK
MD5:	CBA0BEBC50A86F7FE7EB9D139CDC12BA
SHA1:	F2897596769E45232041229566E74F93AA257D06
SHA-256:	06EA752C0407DE2F1A68F73EFD6D3DCAE1D32A117C7A33E40841A8CC1E7ABA3F
SHA-512:	037589BEE3162979EEE196A57A03F80380923D63F88FF35ECD121C0B217392ABA043DBEF05954DB2D7CF04550ECD2CBD49F18D3CBCC1DFE39A157114522F6ABB
Malicious:	false
Preview:	a6G#... ................e.f.3...w........................&..........w..7....y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w..........................................................................................................................................................................................................................................7....y....................#.7....y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.10537731174267641
Encrypted:	false
SSDEEP:	3:ftl1EvStcNkj8l/bJdAtiipWqll:fASuNkj8t4rpf
MD5:	C8B9BA09235D518D392E59E21BC7A290
SHA1:	EB567E3AD7B76C930A95106818DE59DE35774EBB
SHA-256:	A2155CA665534C05848754901FFF63FEE3C19D10BB6202F6E2535EEBEA546109
SHA-512:	846EBCFE05D93FDDA8A4E47CF7D3745D2C0A6CCB4F81679C6F717B25207DF19D9F996FB1C0CFCEC3C10906712930EC1BC30E5B6A62BFDE04A5ED6C564C075159
Malicious:	false
Preview:	.FUn.....................................3...w..7....y.......w...............w.......w....:O.....w....................#.7....y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.136946567981312
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3r9mNI9sk9+MlWlLehB4yAq7ejCMmNI91:OaqdmuF3rwNWv+kWReH4yJ7MINW1
MD5:	0844A93C5C624826B331967FE0048B42
SHA1:	7B176C548AB8343D6C30E13D6916350552600BC9
SHA-256:	26E280B32E0B9F5344F72230322FCE26D08348D2975810605743FC1E7D7637BA
SHA-512:	62E4EB5C9E871AF43C706B0172611BDCD8128A1A783F97960B9D4512B3791F1BDD0F74B02289898846D36BA4F7F2091B55B4F57F31702580D67C4D30AF3FB928
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. M.a.r. .. 1.2. .. 2.0.2.1. .1.6.:.2.8.:.0.8.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. F.r.i. .. M.a.r. .. 1.2. .. 2.0.2.1. .1.6.:.2.8.:.0.8.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.0032331918802715
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2ojdmC51As.exe
File size:	376832
MD5:	5804d97670dcdfab88ba830682355dad
SHA1:	65c817fb511824fa185f34ecd744b836ed7a19eb
SHA256:	4e885ada930e285a005c5211b8a652dc0eb11a06ccf530561afa88aefe99c9fc
SHA512:	befd479d37ff5bef768d61aeec101b4f584e8519f4b3d60f6f0692614ce8925a8303ae478b4d21652b64bc36bc38e9df2eb44d874c2f973f310f2e8ff2a0c7a4
SSDEEP:	6144:HzoTjUrx4KVHa9eUfTLHy2VrH0D+wieIMl7lT2IcO/wksAPJLzx:ToCHVcjZwie57l6i/wi
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........!..`r..`r..`r..`r..`r..sr..`r..as..`r..arC.`rp.nr..`r..jr..`r..kr..`rK.fr..`rRich..`r................PE..L......_...........

File Icon


Icon Hash:	71b018ccc6577131

Static PE Info

General
Entrypoint:	0x406388
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5F920784 [Thu Oct 22 22:28:20 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	875a1634331d344707689db6d9489063

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0042F100h
push 00409800h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0042B2CCh]
xor edx, edx
mov dl, ah
mov dword ptr [00439D04h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [00439D00h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [00439CFCh], ecx
shr eax, 10h
mov dword ptr [00439CF8h], eax
push 00000001h
call 00007F142CAD7E8Eh
pop ecx
test eax, eax
jne 00007F142CAD690Ah
push 0000001Ch
call 00007F142CAD69C8h
pop ecx
call 00007F142CAD92F9h
test eax, eax
jne 00007F142CAD690Ah
push 00000010h
call 00007F142CAD69B7h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F142CAD9B32h
call dword ptr [0042B1D0h]
mov dword ptr [0043B87Ch], eax
call 00007F142CAD99F0h
mov dword ptr [00439CE8h], eax
call 00007F142CAD9799h
call 00007F142CAD96DBh
call 00007F142CAD6AECh
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0042B1D4h]
call 00007F142CAD966Ch
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F142CAD6908h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[C++] VS98 (6.0) build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x33a68	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x23812	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x5c8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29ef1	0x2a000	False	0.574718656994	data	6.56296579611	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0xa8be	0xb000	False	0.309792258523	data	4.42786700159	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x36000	0x5890	0x2000	False	0.253784179688	data	3.64382398996	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x3c000	0x23812	0x24000	False	0.909579806858	data	7.73501222548	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x3c8e0	0x134	data	English	United States
RT_CURSOR	0x3ca14	0xb4	data	English	United States
RT_CURSOR	0x3cac8	0x134	data	English	United States
RT_CURSOR	0x3cbfc	0xb4	data	English	United States
RT_ICON	0x3ccb0	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	English	United States
RT_ICON	0x3cf98	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x3d0c0	0x2e8	data	English	United States
RT_ICON	0x3d3a8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_MENU	0x3d4d0	0x23e	data	English	United States
RT_STRING	0x3d710	0x90	data	English	United States
RT_STRING	0x3d7a0	0x3e	data	English	United States
RT_STRING	0x3d7e0	0x296	data	English	United States
RT_STRING	0x3da78	0x260	data	English	United States
RT_STRING	0x3dcd8	0x328	data	English	United States
RT_STRING	0x3e000	0x70	data	English	United States
RT_STRING	0x3e070	0x106	data	English	United States
RT_STRING	0x3e178	0xda	data	English	United States
RT_STRING	0x3e254	0x46	data	English	United States
RT_STRING	0x3e29c	0xc6	data	English	United States
RT_STRING	0x3e364	0x1f8	data	English	United States
RT_STRING	0x3e55c	0x86	data	English	United States
RT_STRING	0x3e5e4	0xd0	data	English	United States
RT_STRING	0x3e6b4	0x2a	data	English	United States
RT_STRING	0x3e6e0	0x14a	data	English	United States
RT_STRING	0x3e82c	0x124	data	English	United States
RT_STRING	0x3e950	0x4e2	data	English	United States
RT_STRING	0x3ee34	0x2a2	data	English	United States
RT_STRING	0x3f0d8	0x2dc	data	English	United States
RT_STRING	0x3f3b4	0xac	data	English	United States
RT_STRING	0x3f460	0xde	data	English	United States
RT_STRING	0x3f540	0x4c4	data	English	United States
RT_STRING	0x3fa04	0x264	data	English	United States
RT_STRING	0x3fc68	0x2c	data	English	United States
RT_ACCELERATOR	0x3fc94	0x70	data	English	United States
RT_ACCELERATOR	0x3fd04	0x18	data	English	United States
RT_RCDATA	0x3fd1c	0x1f733	data	English	United States
RT_GROUP_CURSOR	0x5f450	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0x5f474	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_ICON	0x5f498	0x22	data	English	United States
RT_GROUP_ICON	0x5f4bc	0x22	data	English	United States
RT_VERSION	0x5f4e0	0x314	data	English	United States
None	0x5f7f4	0x1e	data	English	United States

Imports

DLL	Import
KERNEL32.dll	VirtualFree, IsBadWritePtr, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, SetUnhandledExceptionFilter, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, HeapCreate, IsBadCodePtr, SetStdHandle, CompareStringA, CompareStringW, SetEnvironmentVariableA, HeapDestroy, GetACP, HeapSize, HeapReAlloc, RaiseException, TerminateProcess, ExitProcess, GetCommandLineA, GetStartupInfoA, HeapFree, InterlockedExchange, GetLocalTime, GetSystemTime, GetTimeZoneInformation, RtlUnwind, HeapAlloc, FileTimeToLocalFileTime, FileTimeToSystemTime, SetErrorMode, SystemTimeToFileTime, LocalFileTimeToFileTime, GetFileSize, GetVolumeInformationA, FindFirstFileA, FindClose, DeleteFileA, MoveFileA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, CreateFileA, DuplicateHandle, GetOEMCP, GetCPInfo, GetProcessVersion, WritePrivateProfileStringA, TlsGetValue, LocalReAlloc, TlsSetValue, EnterCriticalSection, GlobalReAlloc, LeaveCriticalSection, TlsFree, GlobalHandle, DeleteCriticalSection, TlsAlloc, InitializeCriticalSection, LocalFree, LocalAlloc, WideCharToMultiByte, InterlockedIncrement, GlobalFlags, InterlockedDecrement, GetLastError, SetLastError, MulDiv, lstrlenA, MultiByteToWideChar, GetDiskFreeSpaceA, GetFileTime, SetFileTime, GetFullPathNameA, GetTempFileNameA, lstrcpynA, GetFileAttributesA, FreeLibrary, GetVersion, lstrcatA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, lstrcpyA, GetModuleHandleA, CloseHandle, GetModuleFileNameA, GlobalAlloc, GlobalDeleteAtom, lstrcmpiA, GetCurrentThread, GetCurrentThreadId, lstrcmpA, GlobalLock, GlobalUnlock, GlobalFree, LockResource, FindResourceA, LoadResource, GetTickCount, Sleep, LoadLibraryA, VirtualAlloc, GetModuleHandleExA, GetProcAddress, GetCurrentProcess, IsBadReadPtr
USER32.dll	TranslateAcceleratorA, ReleaseCapture, GetDesktopWindow, DestroyMenu, LoadMenuA, SetMenu, ReuseDDElParam, UnpackDDElParam, BringWindowToTop, ClientToScreen, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, IsZoomed, SetParent, IsRectEmpty, AppendMenuA, DeleteMenu, GetSystemMenu, GetClassNameA, GetSysColorBrush, LoadStringA, CharUpperA, FindWindowA, GetTabbedTextExtentA, KillTimer, WindowFromPoint, InflateRect, SetCapture, InvertRect, GetDCEx, LockWindowUpdate, GetDC, ReleaseDC, LoadCursorA, DestroyCursor, ShowWindow, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, LoadIconA, UpdateWindow, SendDlgItemMessageA, MapWindowPoints, GetSysColor, SetFocus, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, BeginDeferWindowPos, CopyRect, EndDeferWindowPos, ScrollWindow, GetScrollInfo, LoadAcceleratorsA, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, GetTopWindow, IsChild, GetCapture, WinHelpA, wsprintfA, GetClassInfoA, RegisterClassA, GetMenu, GetMenuItemCount, GetSubMenu, GetWindowTextLengthA, GetWindowTextA, GetDlgCtrlID, DefWindowProcA, CreateWindowExA, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, CallWindowProcA, RemovePropA, GetMessageTime, GetMessagePos, GetForegroundWindow, SetForegroundWindow, GetWindow, SetWindowLongA, SetWindowPos, RegisterWindowMessageA, OffsetRect, IntersectRect, SystemParametersInfoA, IsIconic, GetWindowPlacement, GetWindowRect, GetMenuCheckMarkDimensions, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetFocus, GetKeyState, CallNextHookEx, ValidateRect, IsWindowVisible, GetCursorPos, SetWindowsHookExA, GetLastActivePopup, MessageBoxA, SetCursor, ShowOwnedPopups, PostMessageA, PostQuitMessage, GetNextDlgTabItem, EndDialog, GetActiveWindow, SetActiveWindow, IsWindow, GetSystemMetrics, CreateDialogIndirectParamA, DestroyWindow, GetParent, GetWindowLongA, GetDlgItem, IsWindowEnabled, SetRectEmpty, PtInRect, FillRect, SetScrollInfo, SetRect, SendMessageA, PeekMessageA, GetMessageA, TranslateMessage, DispatchMessageA, SetTimer, InvalidateRect, GetClientRect, LoadBitmapA, EnableWindow, GetMenuItemID, UnregisterClassA
GDI32.dll	GetDeviceCaps, PatBlt, GetStockObject, Rectangle, DPtoLP, CreatePen, GetViewportOrgEx, AbortDoc, EndDoc, EndPage, StartPage, StartDocA, SetAbortProc, CreateDCA, SaveDC, RestoreDC, SetBkMode, SetPolyFillMode, SetROP2, SetStretchBltMode, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, SelectClipRgn, ExcludeClipRect, IntersectClipRect, MoveToEx, LineTo, SetTextAlign, GetCurrentPositionEx, GetObjectA, CreateRectRgn, GetViewportExtEx, GetWindowExtEx, CreateSolidBrush, CreatePatternBrush, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, GetTextExtentPoint32A, GetTextMetricsA, StretchDIBits, GetCharWidthA, CreateFontA, CreateFontIndirectA, LPtoDP, GetBkColor, GetNearestColor, GetTextColor, GetStretchBltMode, GetPolyFillMode, GetTextAlign, GetBkMode, GetROP2, GetTextFaceA, GetWindowOrgEx, SetRectRgn, CombineRgn, CreateRectRgnIndirect, SetTextColor, SetBkColor, GetClipBox, CreateBitmap, CreateCompatibleBitmap, SelectObject, StretchBlt, DeleteObject, DeleteDC, BitBlt, CreateCompatibleDC
comdlg32.dll	GetFileTitleA, PrintDlgA, CommDlgExtendedError, GetSaveFileNameA, GetOpenFileNameA
WINSPOOL.DRV	OpenPrinterA, DocumentPropertiesA, ClosePrinter
ADVAPI32.dll	RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, GetFileSecurityA, SetFileSecurityA, RegSetValueExA
SHELL32.dll	DragQueryFileA, DragFinish
COMCTL32.dll

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2003
InternalName	EffectDemo
FileVersion	1, 0, 0, 1
CompanyName
LegalTrademarks
ProductName	EffectDemo Application
ProductVersion	1, 0, 0, 1
FileDescription	EffectDemo MFC Application
OriginalFilename	EffectDemo.EXE
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2021 16:26:58.447586060 CET	49718	443	192.168.2.5	200.116.145.225
Mar 12, 2021 16:27:01.460962057 CET	49718	443	192.168.2.5	200.116.145.225
Mar 12, 2021 16:27:07.461484909 CET	49718	443	192.168.2.5	200.116.145.225
Mar 12, 2021 16:27:22.953353882 CET	49723	8080	192.168.2.5	96.126.101.6
Mar 12, 2021 16:27:23.155994892 CET	8080	49723	96.126.101.6	192.168.2.5
Mar 12, 2021 16:27:23.664577007 CET	49723	8080	192.168.2.5	96.126.101.6
Mar 12, 2021 16:27:23.867755890 CET	8080	49723	96.126.101.6	192.168.2.5
Mar 12, 2021 16:27:24.370033979 CET	49723	8080	192.168.2.5	96.126.101.6
Mar 12, 2021 16:27:24.571486950 CET	8080	49723	96.126.101.6	192.168.2.5
Mar 12, 2021 16:27:27.230458021 CET	49724	8080	192.168.2.5	5.196.108.185
Mar 12, 2021 16:27:27.280580044 CET	8080	49724	5.196.108.185	192.168.2.5
Mar 12, 2021 16:27:27.280803919 CET	49724	8080	192.168.2.5	5.196.108.185
Mar 12, 2021 16:27:27.281419992 CET	49724	8080	192.168.2.5	5.196.108.185
Mar 12, 2021 16:27:27.281521082 CET	49724	8080	192.168.2.5	5.196.108.185
Mar 12, 2021 16:27:27.331361055 CET	8080	49724	5.196.108.185	192.168.2.5
Mar 12, 2021 16:27:27.331389904 CET	8080	49724	5.196.108.185	192.168.2.5
Mar 12, 2021 16:27:27.331406116 CET	8080	49724	5.196.108.185	192.168.2.5
Mar 12, 2021 16:27:27.331490993 CET	8080	49724	5.196.108.185	192.168.2.5
Mar 12, 2021 16:27:27.332134008 CET	49724	8080	192.168.2.5	5.196.108.185
Mar 12, 2021 16:27:30.959634066 CET	49728	8080	192.168.2.5	167.114.153.111
Mar 12, 2021 16:27:31.091815948 CET	8080	49728	167.114.153.111	192.168.2.5
Mar 12, 2021 16:27:31.602680922 CET	49728	8080	192.168.2.5	167.114.153.111
Mar 12, 2021 16:27:31.736118078 CET	8080	49728	167.114.153.111	192.168.2.5
Mar 12, 2021 16:27:32.243485928 CET	49728	8080	192.168.2.5	167.114.153.111
Mar 12, 2021 16:27:32.375684977 CET	8080	49728	167.114.153.111	192.168.2.5
Mar 12, 2021 16:27:34.950972080 CET	49729	443	192.168.2.5	194.187.133.160
Mar 12, 2021 16:27:35.035270929 CET	443	49729	194.187.133.160	192.168.2.5
Mar 12, 2021 16:27:35.541098118 CET	49729	443	192.168.2.5	194.187.133.160
Mar 12, 2021 16:27:35.625196934 CET	443	49729	194.187.133.160	192.168.2.5
Mar 12, 2021 16:27:36.134251118 CET	49729	443	192.168.2.5	194.187.133.160
Mar 12, 2021 16:27:36.218451977 CET	443	49729	194.187.133.160	192.168.2.5
Mar 12, 2021 16:27:38.503649950 CET	49735	80	192.168.2.5	98.174.164.72
Mar 12, 2021 16:27:41.556896925 CET	49735	80	192.168.2.5	98.174.164.72
Mar 12, 2021 16:27:47.572745085 CET	49735	80	192.168.2.5	98.174.164.72
Mar 12, 2021 16:27:57.331772089 CET	8080	49724	5.196.108.185	192.168.2.5
Mar 12, 2021 16:27:57.331887960 CET	49724	8080	192.168.2.5	5.196.108.185
Mar 12, 2021 16:28:03.714349985 CET	49747	8080	192.168.2.5	103.86.49.11
Mar 12, 2021 16:28:06.715009928 CET	49747	8080	192.168.2.5	103.86.49.11
Mar 12, 2021 16:28:12.731170893 CET	49747	8080	192.168.2.5	103.86.49.11
Mar 12, 2021 16:28:27.509466887 CET	49748	8080	192.168.2.5	78.24.219.147
Mar 12, 2021 16:28:30.513876915 CET	49748	8080	192.168.2.5	78.24.219.147
Mar 12, 2021 16:28:36.530047894 CET	49748	8080	192.168.2.5	78.24.219.147
Mar 12, 2021 16:28:48.328850031 CET	49724	8080	192.168.2.5	5.196.108.185
Mar 12, 2021 16:28:48.380722046 CET	8080	49724	5.196.108.185	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2021 16:26:31.658188105 CET	53784	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:31.709811926 CET	53	53784	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:32.969959021 CET	65307	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:33.009445906 CET	64344	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:33.020936012 CET	53	65307	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:33.062737942 CET	53	64344	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:33.092528105 CET	62060	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:33.144085884 CET	53	62060	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:33.978004932 CET	61805	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:34.026830912 CET	53	61805	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:34.754923105 CET	54795	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:34.808681011 CET	53	54795	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:35.552190065 CET	49557	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:35.612155914 CET	53	49557	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:35.815581083 CET	61733	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:35.874965906 CET	53	61733	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:36.903786898 CET	65447	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:36.952532053 CET	53	65447	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:38.123769999 CET	52441	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:38.174591064 CET	53	52441	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:39.035057068 CET	62176	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:39.085207939 CET	53	62176	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:39.971512079 CET	59596	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:40.031546116 CET	53	59596	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:40.905356884 CET	65296	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:40.970282078 CET	53	65296	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:41.698667049 CET	63183	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:41.756468058 CET	53	63183	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:42.755387068 CET	60151	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:42.804197073 CET	53	60151	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:58.430424929 CET	56969	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:58.491851091 CET	53	56969	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:09.681801081 CET	55161	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:09.733831882 CET	53	55161	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:18.314511061 CET	54757	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:18.373548985 CET	53	54757	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:27.852175951 CET	49992	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:27.909488916 CET	53	49992	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:30.678214073 CET	60075	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:30.727032900 CET	53	60075	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:35.550229073 CET	55016	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:35.609936953 CET	53	55016	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:54.762638092 CET	64345	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:54.814448118 CET	53	64345	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:55.492172956 CET	57128	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:55.552234888 CET	53	57128	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:55.966312885 CET	54791	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:56.028846979 CET	53	54791	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:56.474679947 CET	50463	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:56.531752110 CET	53	50463	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:56.819484949 CET	50394	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:56.887015104 CET	53	50394	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:57.060777903 CET	58530	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:57.117913961 CET	53	58530	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:57.744611979 CET	53813	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:57.794827938 CET	53	53813	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:58.390858889 CET	63732	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:58.448246956 CET	53	63732	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:59.164827108 CET	57344	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:59.226840019 CET	53	57344	8.8.8.8	192.168.2.5
Mar 12, 2021 16:28:00.153496981 CET	54450	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:28:00.203022003 CET	53	54450	8.8.8.8	192.168.2.5
Mar 12, 2021 16:28:00.828726053 CET	59261	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:28:00.888631105 CET	53	59261	8.8.8.8	192.168.2.5

HTTP Request Dependency Graph

5.196.108.185

5.196.108.185:8080

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49724	5.196.108.185	8080	C:\Windows\SysWOW64\WsmSvc\iasrecst.exe

Timestamp	kBytes transferred	Direction	Data
Mar 12, 2021 16:27:27.281419992 CET	1561	OUT	POST /wGf14n07/vS3mZ/aWoW/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 5.196.108.185/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=-----------jFClBgacZrw User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 5.196.108.185:8080 Content-Length: 4596 Cache-Control: no-cache
Mar 12, 2021 16:27:27.331406116 CET	1566	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 12 Mar 2021 15:27:27 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: 2ojdmC51As.exe PID: 5356 Parent PID: 5616

General

Start time:	16:26:40
Start date:	12/03/2021
Path:	C:\Users\user\Desktop\2ojdmC51As.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\2ojdmC51As.exe'
Imagebase:	0x400000
File size:	376832 bytes
MD5 hash:	5804D97670DCDFAB88BA830682355DAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.231317711.0000000002194000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.230964663.0000000000600000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: iasrecst.exe PID: 2964 Parent PID: 5356

General

Start time:	16:26:41
Start date:	12/03/2021
Path:	C:\Windows\SysWOW64\WsmSvc\iasrecst.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WsmSvc\iasrecst.exe
Imagebase:	0x400000
File size:	376832 bytes
MD5 hash:	5804D97670DCDFAB88BA830682355DAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.494960467.0000000000710000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.496587282.0000000002284000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: svchost.exe PID: 396 Parent PID: 556

General

Start time:	16:26:54
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 5292 Parent PID: 556

General

Start time:	16:27:04
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6048 Parent PID: 556

General

Start time:	16:27:05
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 5116 Parent PID: 556

General

Start time:	16:27:05
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: SgrmBroker.exe PID: 5456 Parent PID: 556

General

Start time:	16:27:06
Start date:	12/03/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff6e2520000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 5548 Parent PID: 556

General

Start time:	16:27:06
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6492 Parent PID: 556

General

Start time:	16:27:09
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 7096 Parent PID: 556

General

Start time:	16:27:30
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6208 Parent PID: 556

General

Start time:	16:27:45
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6596 Parent PID: 556

General

Start time:	16:27:53
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: MpCmdRun.exe PID: 4660 Parent PID: 5548

General

Start time:	16:28:07
Start date:	12/03/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff685440000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 4672 Parent PID: 4660

General

Start time:	16:28:08
Start date:	12/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 2ojdmC51As.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre